Andre Dubuc wrote:
> Hi,
>
> To stop bots from accessing secured pages, I've added the following code to a
> banner page that is called by every page. Furthermore, each page starts with
> <?php session_start(); ?> and includes the banner page:
>
> 'top1.php' [banner page]
>
> <?php
> if((eregi("((Yahoo! Slurp|Yahoo! Slurp China|.NET CLR|Googlebot/2.1|
> Gigabot/2.0|Accoona-AI-Agent))",$_SERVER['HTTP_USER_AGENT'])))
> {
> if ($_SERVER['HTTPS'] == "on")
> {
> session_destroy();
> header("Location: http://localhost/logout.php";);
> }
> }
> ?>
>
> I'm testing on localhost with the browser set to 'Googlebot/2.1' - and the
> code works great. Any page that is set for https is not served, and if https
> has been set by a previous visit, it goes to http://somepage.
>
> However, checking the live version, I get an secure-error_log entry:
>
> "PHP Warning: session_destroy() [<a
> href='function.session-destroy'>function.session-destroy</a>]: Trying to
> destroy uninitialized session"
which page is causing the error? is it logout.php perhaps? does that page
call session_destroy too?
your browser making a request with the user-agent set to 'GoogleBot Blabla'
is not the same as an actual googlebot that's making a request - in the
difference
could lie the problem
is session_start() actually returning true we you call it in script run as a
result of
a request initialized by a bot?
btw: do you need to send the bot to logout.php if you've just destroyed the
session?
also, why not just redirect to an http url if it's a bot connecting via https
and forget trying to destroy the session?
>
> Question is: didn't the session_start(); on the calling page take effect, or
> is this some other problem?
>
> Is there something like 'isset' to check whether 'session_destroy(); is
> needed? [I've tried isset, it barfs the code.]
>
> Tia,
> Andre
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
