ITEC 325 2012fall ibarland

home—lects—exams—hws
D2L—breeze (snow day)

lect08b-sessions
sessions
chapter 9

From PHP Visual Quickstart Guide by Larry Ullman
Originally based on notes by Jack Davis (jcdavis@radford.edu)

We have discussed cookies, and in particular how setting a cookie "userID" can help us (the server) keep track of repeated visits from the same browser&user. (If you leverage that with having the server keep a database for each user, then this gives us history that can cross browsers.)

Self-assessment: Why does the following not print out 2.50?

<?php
  // before any html has been printed:
  setcookie('hamburger-price', 2.50);
  ?>

  ⋮
  <p>
  The going rate for hamburgers is $<?php printf("%.2f", $_COOKIE['hamburger-price'] ); ?>.
  </p>
 

Sessions

1. Single page, no state.
2. Using POST/GET to pass state from one page to the next: add info to URL
3. Using cookies: the browser passes a (variant) GET argument with a serial number
4. Writing a file server-side (perhaps along with previous technique)
5. sessions: an automated way of doing the previous: create/restore an array on each visit (using a file kept server-side, and client-side a cookie so the server knows which stored file should be used for a given HTTP request)

• The session_start function either:
  • Starts a new session (by sending a cookie — therefore session_start must be called prior to any HTML being sent!)
  or it
  • Resumes the current session (looking up $_COOKIE['PHPSESSID'], and using that to find an existing filename created/saved on a previous visit.)
• When a session is started, a random session ID is generated and a cookie is sent to the Web browser with a name of PHPSESSID and a random value.
  (Aside: how do we guard against people making up session IDs? Possible discussion: sites that use guessable session IDs. )
• Once the session has been started, a session variable can be created by assigning values to the $_SESSION array:
  

  $_SESSION['first_name'] = "Marc"; $_SESSION['age'] = 35;

  PHP writes data to a temporary file stored on the server.
• An example that sets a session and a cookie; leads to a page that unsets the cookie (but not the session); which leads to a page that stops the session too. lect09a-ch09-cookies-sessions-0.php

A smaller example is at page0.php. A similar (but more varied) example is at lect09a-ch09-login.php.

• To delete a session variable you must unset the value in the session array.
  unset($_SESSION['first_name']);
  
• To terminate a session (e.g. user logs out), there are three things that must be done (!):
  • Destroy the contents of the $_SESSION array in memory. Use session_unset, since it's a superglobal.
  • Destroy the info saved on the server's disk. Use session_destroy.
  • Finally, destroy the cookie associated with the session: setcookie( session_name(), '', 1, '/' )

    Gotcha: setcookie sets a cookie relative to the current directory, but the session cookie (by default) is relative to root. So to destroy the session cookie, you must pass '/' (by default) as the 4th argument to setcookie.

    Better, rather than assuming that session-cookies use / as the cookie-path, you should look up what the path for session-cookies is, using session_get_cookie_params:

    $myParams = session_get_cookie_params(); echo "The default path of cookies is ", $myParams['path']; print_r($myParams); setcookie( session_name(), '', 1, $myParams['path'] ); // note that sadly, php doesn't let you just do this in one line: // setcookie( session_name(), '', 1, session_get_cookie_params()['path'] ); // Syntax error!

• php docs

home—lects—exams—hws
D2L—breeze (snow day)

©2012, Ian Barland, Radford University Last modified 2012.Nov.21 (Wed)

Please mail any suggestions (incl. typos, broken links) to ibarlandradford.edu