|
home—lects—hws
D2L—breeze (snow day)
We have discussed cookies, and in particular how setting a cookie "userID" can help us (the server) keep track of repeated visits from the same browser&user. (If you leverage that with having the server keep a database for each user, then this gives us history that can cross browsers.)
youtube (26m00s):Self-assessment: Why does the following not print out 2.50?
<?php // before any html has been printed: setcookie('hamburger-price', 2.50); ?> ⋮ <p> The going rate for hamburgers is $<?php printf("%.2f", $_COOKIE['hamburger-price'] ); ?>. </p> |
$_SESSION['first_name'] = "Marc"; $_SESSION['age'] = 35; |
This page sets a session and a cookie; leads to a page that unsets the cookie (but not the session); which leads to a page that stops the session too.
Gotcha:setcookie sets a cookie relative to the current directory, but the session cookie (by default) is relative to root. So to destroy the session cookie, you must pass'/' (by default) as the 4th argument tosetcookie .Better, rather than assuming that session-cookies use / as the cookie-path, you should look up what the path for session-cookies is, using
session_get_cookie_params :
$myParams = session_get_cookie_params(); echo "The default path of cookies is ", $myParams['path']; print_r($myParams); setcookie( session_name(), '', 1, $myParams['path'] ); // note that sadly, php doesn't let you just do this in one line: // setcookie( session_name(), '', 1, session_get_cookie_params()['path'] ); // Syntax error!
IMPORTANT:
If your session allows access to any secure information
(for instance, once a user successfully types a password,
you set
But we don't create that cookie ourselves!
We'd just called
php_ini('session.cookie_secure',true) |
Remember that sessions (and, cookies) span multiple windows/frames within the same browser.
Imagine:
Btw, I don't think that cookies (and hence sessions) get shared between different computers1, but it's conceivable that Chrome might allow sync’ing of cookies. Certainly, I personally synchronize my files between two different computers (which includes stored cookies).
This means that if you have javascript which stores info client-side in files, your application should be robust against that file seeming to “disappear” halfway through a session. (Really, you should be somewhat robust against this regardless.)
Gotcha:session_start() puts a write-lock on the session file, so any other process trying to access it will block. (In particular: that 'other process' might be yourself, via an included-file which is also doing asession_start() !) One possible workaround (and good practice regardless): As soon as you've completed any/all updates to$_SESSION values, callsession_commit . This writes and closes the data file, although it doesn't unset data in memory so you can still refer to$_SESSION . (Just remember that any later changes made to the array are no longer being committed, and because you've given up the lock others might be updating the file w/o you seeing any changes. You can apparently callsession_commit again later, though presumably if some other process is accessing the file it may block and then it will overwrite the other file's changes.)
In fact, it's conceivable that
two different browsers might share cookies —
e.g. imagine if Firefox and Mozilla intentionally used the
same directory to store cookie-info.
So your server-side code shouldn't really care/notice
if the user manages to “migrate” a session
from one browser to another;
your server probably shouldn't store
(say) the browser-type in
Besides, in this example about browser-type,
you wouldn't want to store that as session info,
but instead just use the
http header's
User-Agent
field.
Your PHP code can retrieve that information through the superglobal
home—lects—hws
D2L—breeze (snow day)
©2017, Ian Barland, Radford University Last modified 2017.Apr.05 (Wed) |
Please mail any suggestions (incl. typos, broken links) to ibarlandradford.edu |