|
home—lects—hws
D2L—breeze (snow day)
From PHP Visual Quickstart Guide by Larry Ullman
Originally based on notes by Jack Davis (jcdavis@radford.edu)
We have discussed cookies, and in particular how setting a cookie "userID" can help us (the server) keep track of repeated visits from the same browser&user. (If you leverage that with having the server keep a database for each user, then this gives us history that can cross browsers.)
Self-assessment: Why does the following not print out 2.50?
<?php // before any html has been printed: setcookie('hamburger-price', 2.50); ?> ⋮ <p> The going rate for hamburgers is $<?php printf("%.2f", $_COOKIE['hamburger-price'] ); ?>. </p> |
$_SESSION['first_name'] = "Marc"; $_SESSION['age'] = 35; |
Gotcha:setcookie sets a cookie relative to the current directory, but the session cookie (by default) is relative to root. So to destroy the session cookie, you must pass'/' (by default) as the 4th argument tosetcookie .Better, rather than assuming that session-cookies use / as the cookie-path, you should look up what the path for session-cookies is, using
session_get_cookie_params :
$myParams = session_get_cookie_params(); echo "The default path of cookies is ", $myParams['path']; print_r($myParams); setcookie( session_name(), '', 1, $myParams['path'] ); // note that sadly, php doesn't let you just do this in one line: // setcookie( session_name(), '', 1, session_get_cookie_params()['path'] ); // Syntax error!
Remember that sessions (and, cookies) span multiple windows/frames within the same browser.
Imagine:
Btw, I don't think that cookies (and hence sessions) get shared between different computers1, but it's conceivable that Chrome might allow sync'ing of cookies. Certainly, I personally synchronize my files between two different computers (which includes stored cookies).
This means that if you have javascript which stores info client-side in files, your application should be robust against that file seeming to “disappear” halfway through a session. (Really, you should be somewhat robust against this regardless.)
Gotcha:session_start() puts a write-lock on the session file, so any other process trying to access it will block. (In particular: that 'other process' might be yourself, via an included-file which is also doing asession_start() !) One possible workaround (and good practice regardless): As soon as you're done updating any persistent values to$_SESSION , callsession_commit . This writes and closes the data file, although it doesn't unset data in memory so you can still refer to$_SESSION . (Just remember that any later changes made to the array are no longer being committed, and because you've given up the lock others might be updating the file w/o you seeing any changes. You can apparently callsession_commit again later, though presumably if some other process is accessing the file it may block and then it will overwrite the other file's changes.)
IMPORTANT:
If your session allows access to any secure information
(for instance, once a user successfully types a password,
you set
But we don't create that cookie ourselves!
We'd just called
php_ini('session.cookie_secure',true) |
In fact, it's conceivable that
two different browsers might share cookies —
e.g. Firefox and Mozilla intentionally using the
same cookie directory.
So your server-side code shouldn't really care/notice
if the user manages to “migrate” a session
from one browser to another;
your server probably shouldn't store
(say) the browser-type in
Besides, in that example (browser-type), the correct solution happens to be checking the http header's User-Agent field.
↩home—lects—hws
D2L—breeze (snow day)
©2014, Ian Barland, Radford University Last modified 2014.Nov.13 (Thu) |
Please mail any suggestions (incl. typos, broken links) to ibarlandradford.edu |