Hi,

To stop bots from accessing secured pages, I've added the following code to a
banner page that is called by every page. Furthermore, each page starts with
<?php session_start(); ?> and includes the banner page:

'top1.php' [banner page]

<?php
if((eregi("((Yahoo! Slurp|Yahoo! Slurp China|.NET CLR|Googlebot/2.1|
Gigabot/2.0|Accoona-AI-Agent))",$_SERVER['HTTP_USER_AGENT'])))
{
if ($_SERVER['HTTPS'] == "on")
{
session_destroy();
header("Location: http://localhost/logout.php");
}
}
?>

I'm testing on localhost with the browser set to 'Googlebot/2.1' - and the
code works great. Any page that is set for https is not served, and if https
has been set by a previous visit, it goes to http://somepage.

However, checking the live version, I get an secure-error_log entry:

"PHP Warning: session_destroy() [<a
href='function.session-destroy'>function.session-destroy</a>]: Trying to
destroy uninitialized session"

Question is: didn't the session_start(); on the calling page take effect, or
is this some other problem?

Is there something like 'isset' to check whether 'session_destroy(); is
needed? [I've tried isset, it barfs the code.]

Tia,
Andre

At 1/20/2007 02:14 PM, Andre Dubuc wrote:
>However, checking the live version, I get an secure-error_log entry:
>
>"PHP Warning: session_destroy() [<a
>href='function.session-destroy'>function.session-destroy</a>]: Trying to
>destroy uninitialized session"
>
>Question is: didn't the session_start(); on the calling page take effect, or
>is this some other problem?


I've gotten the distinct impression from the documentation and from
my own experiences that session_start() is required at the beginning
of every page/script that references the session. See
http://ca3.php.net/session_start including Examples 1 and 2.

Paul

On Saturday 20 January 2007 05:33 pm, Paul Novitski wrote:
> At 1/20/2007 02:14 PM, Andre Dubuc wrote:
> >However, checking the live version, I get an secure-error_log entry:
> >
> >"PHP Warning: session_destroy() [<a
> >href='function.session-destroy'>function.session-destroy</a>]: Trying to
> >destroy uninitialized session"
> >
> >Question is: didn't the session_start(); on the calling page take effect,
> > or is this some other problem?
>
> I've gotten the distinct impression from the documentation and from
> my own experiences that session_start() is required at the beginning
> of every page/script that references the session. See
> http://ca3.php.net/session_start including Examples 1 and 2.
>
> Paul

That would tend to make sense despite that the calling page has arleady
initiated one. Worth a try . .

Thanks,
Andre

Andre Dubuc wrote:
> Hi,
>
> To stop bots from accessing secured pages, I've added the following code to a
> banner page that is called by every page. Furthermore, each page starts with
> <?php session_start(); ?> and includes the banner page:
>
> 'top1.php' [banner page]
>
> <?php
> if((eregi("((Yahoo! Slurp|Yahoo! Slurp China|.NET CLR|Googlebot/2.1|
> Gigabot/2.0|Accoona-AI-Agent))",$_SERVER['HTTP_USER_AGENT'])))
> {
> if ($_SERVER['HTTPS'] == "on")
> {
> session_destroy();
> header("Location: http://localhost/logout.php");
> }
> }
> ?>
>
> I'm testing on localhost with the browser set to 'Googlebot/2.1' - and the
> code works great. Any page that is set for https is not served, and if https
> has been set by a previous visit, it goes to http://somepage.
>
> However, checking the live version, I get an secure-error_log entry:
>
> "PHP Warning: session_destroy() [<a
> href='function.session-destroy'>function.session-destroy</a>]: Trying to
> destroy uninitialized session"

which page is causing the error? is it logout.php perhaps? does that page
call session_destroy too?

your browser making a request with the user-agent set to 'GoogleBot Blabla'
is not the same as an actual googlebot that's making a request - in the difference
could lie the problem

is session_start() actually returning true we you call it in script run as a result of
a request initialized by a bot?

btw: do you need to send the bot to logout.php if you've just destroyed the session?
also, why not just redirect to an http url if it's a bot connecting via https
and forget trying to destroy the session?

>
> Question is: didn't the session_start(); on the calling page take effect, or
> is this some other problem?
>
> Is there something like 'isset' to check whether 'session_destroy(); is
> needed? [I've tried isset, it barfs the code.]
>
> Tia,
> Andre
>

Andre Dubuc wrote:
> Hi,
>
> To stop bots from accessing secured pages, I've added the following code to a
> banner page that is called by every page. Furthermore, each page starts with
> <?php session_start(); ?> and includes the banner page:
>
> 'top1.php' [banner page]
>
> <?php
> if((eregi("((Yahoo! Slurp|Yahoo! Slurp China|.NET CLR|Googlebot/2.1|
> Gigabot/2.0|Accoona-AI-Agent))",$_SERVER['HTTP_USER_AGENT'])))
> {
> if ($_SERVER['HTTPS'] == "on")
> {
> session_destroy();
> header("Location: http://localhost/logout.php");
> }
> }
> ?>
>
> I'm testing on localhost with the browser set to 'Googlebot/2.1' - and the
> code works great. Any page that is set for https is not served, and if https
> has been set by a previous visit, it goes to http://somepage.
>
> However, checking the live version, I get an secure-error_log entry:
>
> "PHP Warning: session_destroy() [<a
> href='function.session-destroy'>function.session-destroy</a>]: Trying to
> destroy uninitialized session"
>
> Question is: didn't the session_start(); on the calling page take effect, or
> is this some other problem?
>
> Is there something like 'isset' to check whether 'session_destroy(); is
> needed? [I've tried isset, it barfs the code.]
>
> Tia,
> Andre

This is the kind of thing which you should probably handle from your
..htaccess or http.conf file:

RewriteEngine on

RewriteCond %{HTTPS} on
RewriteCond %{REMOTE_ADDR} ^192\.168\.0\.55$
RewriteRule ^.*\.php$ http://192.168.0.5/target_page.php


Or the rewrite rule can be:

RewriteRule ^.*\.php$ - [F]

The latter will return a 403 forbidden response.

You can use regular expression syntax to get a set of IP addresses:
RewriteCond %{REMOTE_ADDR} ^192\.168\.0\.[6-254]$





--

_____________________
Myron Turner
http://www.room535.org
http://www.bstatzero.org
http://www.mturner.org/XML_PullParser/

# EMAIL REMOVED / 2007-01-20 17:14:34 -0500:
> To stop bots from accessing secured pages, I've added the following
> code to a banner page that is called by every page. Furthermore, each
> page starts with <?php session_start(); ?> and includes the banner
> page:
>
> 'top1.php' [banner page]
>
> <?php
> if((eregi("((Yahoo! Slurp|Yahoo! Slurp China|.NET CLR|Googlebot/2.1|
> Gigabot/2.0|Accoona-AI-Agent))",$_SERVER['HTTP_USER_AGENT'])))
> {
> if ($_SERVER['HTTPS'] == "on")
> {
> session_destroy();
> header("Location: http://localhost/logout.php");

google for robots.txt, less work with the same effect.

--
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man. You don't KNOW.
Cause you weren't THERE. http://bash.org/?255991

On Sun, 21 Jan 2007 10:11:11 +0000, EMAIL REMOVED (Roman
Neuhauser) wrote:

># EMAIL REMOVED / 2007-01-20 17:14:34 -0500:
>> To stop bots from accessing secured pages, I've added the following
>> code to a banner page that is called by every page. Furthermore, each
>> page starts with <?php session_start(); ?> and includes the banner
>> page:
>>
>> 'top1.php' [banner page]
>>
>> <?php
>> if((eregi("((Yahoo! Slurp|Yahoo! Slurp China|.NET CLR|Googlebot/2.1|
>> Gigabot/2.0|Accoona-AI-Agent))",$_SERVER['HTTP_USER_AGENT'])))
>> {
>> if ($_SERVER['HTTPS'] == "on")
>> {
>> session_destroy();
>> header("Location: http://localhost/logout.php");
>
>google for robots.txt, less work with the same effect.


But robots.txt, I believe, relies on a gentleman's agreement between
the robot and your server. Check out "Blocking of Robots":
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html

Myron Turner