home—lects—exams—hws
breeze (snow day)
ch09
cookies and sessions
chapter 9
From PHP Visual Quickstart Guide by Larry Ullman
Based on notes by Jack Davis (jcdavis@radford.edu)
As larger more complex web sites are being built the
limitation of http as a stateless protocol becomes a
problem. Web developers have no built in (html) method
of remembering data from one page of an application
to the next. This is a serious short-coming, e-commerce
systems, user registration and login systems, and other
online services rely on this functionality. Fortunately,
maintaining state from one page to another is fairly
simple using PHP.
- Cookies
- Method for the server to store information about the user --
on the user's machine -- so that the server can remember
the user over the course of the visit or through several
web visits.
- Cookies have gotten a bad rap because some users
believe cookies allow a server to know too much
about them. However, a cookie can only be used to
store information that you give it, so it's as
secure as you want it to be.
- Cookies are created by the server, but stored on the client
machine. They include the URL of the domain and server
that created them. On the client machine they are attached
to an http request to the server listed in their stored
information.
- Creating cookies -
Cookies must be sent as part of the html header of the
html document sent from the server to the client, so they
must be created before output is written to the php created
response file.
setcookie(name, value, expiration, path, domain, secure, httponly);
- name - (required) cookie name
- value - (required) limited to 4KB of data, string
- expiration - (optional) used to set a specific
length of time for the cookie to exist. To set the
expiration time, you add time to the current time.
The time() function can be used to build this parameter,
setcookie('cname','value',time() + 3600);
- path and domain (optional) parameters are used to limit a cookie
to a specific folder in a Web site (the path) or to
a specific domain, so this might be used to limit a
cookie to a subdomain, such as forum.example.com
Using the path option, you could limit a cookie to exist only
while a user is in the user folder of the domain:
setcookie('name','value',time() + 3600, '/user/');
- secure value (optional) dictates that a cookie should
only be sent over a secure HTTPS connection. A value
of 1 indicates that a secure connection must be used,
whereas, 0 indicates that a secure connection isn't
required.
setcookie(name,value,time()+3600,'','',1);
- httponly (optional) - can be used to restrict access to
the cookie (for example, preventing a cookie from being
read using Javascript) but isn't supported by all browsers.
- Script Example
ch09-customize.php
- Deleting a Cookie -
Delete the existing cookies by sending blank cookies and complete the PHP code.
setcookie('name','',time()-600);
You can also set the timeout to 1 (second after the epoch-start);
note that setting it to 0 (or omitting) defaults to
timing out at end of browser session.
- Sessions
- The session-start function either:
-
Starts a new session (by sending a cookie — must be called prior
to any HTML being sent!)
or it
- Resumes the current session (by using the cookie $COOKIE['PHPSESSID'])
- When a session is started a random session ID is generated and a cookie
is sent to the Web browser with a name of PHPSESSID and a random value.
- Once the session has been started, a session variable can be created by
assigning values to the $_SESSION array:
$_SESSION['first_name'] = "Marc";
$_SESSION['age'] = 35;
|
PHP writes data to a temporary file stored on the server.
-
An example that
sets a session and a cookie;
leads to a page that unsets the cookie (but not the session);
which leads to a page that stops the session too.
ch09-cookies-sessions-0.php
-
ch09-login.php
- To delete a session variable you must unset the value in the session
array.
unset($_SESSION['first_name']);
-
To terminate a session (e.g. user logs out), there are three steps to
follow(!):
- Destroy the contents of the $_SESSION array in memory.
Use session-unset, since it's a superglobal.
- Destroy the info saved on the server's disk.
Use session-destroy.
- Finally, destroy the cookie associated with the session.
-
Real-life systems:
Authenticate, and change the session-name with every interaction
(so it can never by used twice).
Use PEAR libs to keep track of it.
-
IT-AUTH -- not released to students, since it enables
students to create popular RU pages
that authenticate and surreptitiously record
each user's password.
Don't tempt an honest man.
home—lects—exams—hws
breeze (snow day)
rad�ford.edu