Solved

How do I prevent Java image upload applet from destroying PHP session variables?

Posted on 2008-10-15
13
1,002 Views
Last Modified: 2013-12-13
Hello, this is my first post so I hope I have formatted this all properly.

I'm developing a website that uses PHP and MYSQL. User content is uploaded and stored based off of unique user id's stored as the PHP super global $_SESSION['user_id'];

An important part of this is FAST image upload. I downloaded a Java program called Thin Image Upload
http://upload.thinfile.com/image/ to handle the image uploads only whenever the applet uses upload.php all session variables are lost, the PHP upload script is attached.

If I point a regular HTML form to use this script it works fine, session variables are there; however, when the Java applet uses the code the session data gets lost, print_r($_SESSION) prints an empty array.

So somehow the Java is not talking to the PHP. I've even tried setting cookies in the upload.php script but those too get destroyed. I don't know Java, but my only idea is that I somehow need to preserve the session variable in Java somewhere and recover it in the PHP?

thanks for taking the time to look at this
-Brian
<?

session_start();

$uid = $_SESSION['user_id'];
 

print_r($_SESSION);
 

$save_path="img/";

$time = time();   
 

if($_FILES)

{

	$unique = 0;

	$pass = 0;

	$i = 0;

	$k = 0;

	$current = 1;

	$pass = 1;

	

	$file = $_FILES['userfile'];

	$k = count($file['name']);

	

	$unique = count(array_unique($_FILES['userfile']['name']));

	

	while($i<$k)

	{

		$name = $_FILES['userfile']['name'][$i];

		$url =  substr(sha1($_FILES['userfile']['name'] . rand()),0,12);

		

		if(isset($save_path) && $save_path!="")

		{

			move_uploaded_file($file['tmp_name'][$i], $save_path . $url . ".jpg");

			

			switch($pass)

			{

				case 1://original sql

					$sql = "INSERT INTO picture (picture_full, picture_author, picture_time) VALUES ('$url','$uid','$time')";

				 	$result = $this->db->query($sql);

				 	$pid = $this->db->insert_id();

				 	$_new[$pid] = $name;

				 	break;

				case 2://medium sized

					foreach($_new as $key => $value)

					{

						if($value == $name)

						{

							$pid = $key;

							$sql = "UPDATE picture SET picture_med = '$url' WHERE picture_id = '$pid'";

							$result = $this->db->query($sql);

						}

					}

					break;

				case 3://small sized

					foreach($_new as $key => $value)

					{

						if($value == $name)

						{

							$pid = $key;

							$sql = "UPDATE picture SET picture_small = '$url' WHERE picture_id = '$pid'";

							$result = $this->db->query($sql);

						}

					}

					break;

			}

			if($current >= $unique)

			{

				$pass++;

				$current = 1;

			}

			else $current++;

			$i++;

		}

	}

	echo $unique . " pictures successfully uploaded<br>";

}
 
 

//the applet.php part
 

<object type="application/x-java-applet;version=1.4.1"

width= "300" height= "309"  id="thin" name="Thin Upload">

<param name="archive" value="ThinImage.jar">

<param name="code" value="com.thinfile.upload.ThinImageUpload">

<param name="MAYSCRIPT" value="yes">

<param name="name" value="Thin Image Upload">

<param name="props_file" value="thinupload.php">

Open in new window

0
Comment
Question by:bperin42
13 Comments
 

Expert Comment

by:CodilX
ID: 22727076
why don't you try making the picture upload form in a popup? or maybe trying a different script for uploading
0
 

Author Comment

by:bperin42
ID: 22727352
Both scripts work fine, but the Java can't handle any session variables, making the Java applet open in a popup window yields the same results, empty sessions.
0
 

Expert Comment

by:larsson12
ID: 22738656
Hi

I have exactly the same problem with a self-written Java-Applet on one of many servers I'm using.

The applet does a URLConnection to a php-script on the server (same server as the applets is hosted on, which is necessary according to the java sandbox).

If I sets a session on the php-page the java-applet is started from, the session should then be available in the php-page that is called from within the applet.

The same script works perfectly on several other servers, but I can't figure out which php setting that is different on the problem-server...

I'm using exactly the same apache (Apache/2.2.3) and php-versions (5.2.0-8+etch11) on another server where it works perfectly. I have also checked all session settings which are presented with phpinfo() on the both servern and they are identical.

bperin42: Have you solved the problem ?

Anyone else having an idea ?

Thanks!

-- Anders
0
 

Expert Comment

by:larsson12
ID: 22742550
Hi again...

I have solved the problem...

The session were destroyed by an installed php module called "suhosin", which is part of the "http://www.hardened-php.net/" project.

I deactivated the module and all works fine again.

I think the problem is that the user agent is different between the standard browser request and the request made by the java applet, and the suhosin module then destroyes the session, but I have verified this!

-- Anders
0
 

Author Comment

by:bperin42
ID: 22761687
how did you go about deactivating the module?
0
 

Expert Comment

by:larsson12
ID: 22761726
Hi

One way is to uninstall the entire suhosin module from the server or, as I did, just deactivted it's options in the virtual host for my domain with this in the Apache conf:

php_admin_value suhosin.session.cryptdocroot 0
php_admin_value suhosin.session.cryptua 0
php_admin_value suhosin.session.encrypt 0
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:bperin42
ID: 22763305
I appended these 3 lines to my httpd.conf file
php_admin_value suhosin.session.cryptdocroot 0
php_admin_value suhosin.session.cryptua 0
php_admin_value suhosin.session.encrypt 0

rebooted the server, but still those session variables are still being killed somewhere. Does it matter where I add the new lines for the config file?
0
 

Expert Comment

by:larsson12
ID: 22764830
I think the php_admin_value directives must be placed inside a virtual host directive in the apache conf.

Have you checked that you really has the "suhosin" module installed in apache ?

You can check this with <?php phpinfo(); ?> on a php-page.

With this code you can also check what the suhosin.session values are currently set to.
0
 

Author Comment

by:bperin42
ID: 22770633
Oh maybe I don't then, under the loaded modules section I have the following

core prefork http_core mod_so mod_auth_basic mod_auth_digest mod_authn_file mod_authn_alias mod_authn_anon mod_authn_dbm mod_authn_default mod_authz_host mod_authz_user mod_authz_owner mod_authz_groupfile mod_authz_dbm mod_authz_default util_ldap mod_authnz_ldap mod_include mod_log_config mod_logio mod_env mod_ext_filter mod_mime_magic mod_expires mod_deflate mod_headers mod_usertrack mod_setenvif mod_mime mod_dav mod_status mod_autoindex mod_info mod_dav_fs mod_vhost_alias mod_negotiation mod_dir mod_actions mod_speling mod_userdir mod_alias mod_rewrite mod_proxy mod_proxy_balancer mod_proxy_ftp mod_proxy_http mod_proxy_connect mod_cache mod_suexec mod_disk_cache mod_file_cache mod_mem_cache mod_cgi mod_perl mod_php5 mod_proxy_ajp mod_python mod_ssl

no suhosin, but your explanation makes so much sense that the Java applet is using a different user agent. Any other ideas on how to sync these two? I also tried to add a value to the $_FILES array before the actual upload happens but that got erased as well.
0
 

Expert Comment

by:larsson12
ID: 22774173
Ok, then it must be some other session setting which is set on your server, because in a standard php installation, the session will work fine.

If you can change the java code, you should be able to set the user agent with this call (if the HttpUrlConnection class is used):

conn.setRequestProperty ( "User-agent", "my agent name");
0
 

Author Comment

by:bperin42
ID: 22837644
Well I figured out a solution so i'll post it here in case anyone else runs into this problem.
Yes the problem was that the java code could not talk to php directly. Since I couldn't modify the code directly, but I did have access to the properties file which basically just sets up how the java code will run. Within this properties sheet it has a line that points to the url of the php upload script. So what I did was create an upload token in PHP and append it to the url. You could just append the user_id or whatever like

upload.php?uid=25 however people could mess with this.

So I used mysql to generate an UUID, this UUID was stored in a table in the DB indexed by the user_id
and then the UUID is returned

so i have upload.php?token=$uuid in the properties script

upload php then looks at this uuid token goes into the database and recovers the user_id which is then used to store the pictures information in the database.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 23580950
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now