|
We have discussed cookies, and in particular how setting a cookie "userID" can help us (the server) keep track of repeated visits from the same browser&user. (If you leverage that with having the server keep a database for each user, then this gives us history that can cross browsers.)
youtube (26m00s):Self-assessment: Why does the following not print out 2.50?
<?php
// before any html has been printed:
setcookie('hamburger-price', 2.50);
?>
⋮
<p>
The going rate for hamburgers is $<?php printf("%.2f", $_COOKIE['hamburger-price'] ); ?>.
</p>
|
$_SESSION['first_name'] = "Marc"; $_SESSION['age'] = 35; |
This page sets a session and a cookie; leads to a page that unsets the cookie (but not the session); which leads to a page that stops the session too.
Gotcha: setcookie sets a cookie relative to the current directory, but the session cookie (by default) is relative to root. So to destroy the session cookie, you must pass '/' (by default) as the 4th argument to setcookie.Better, rather than assuming that session-cookies use / as the cookie-path, you should look up what the path for session-cookies is, using session_get_cookie_params:
$myParams = session_get_cookie_params(); echo "The default path of cookies is ", $myParams['path']; print_r($myParams); setcookie( session_name(), '', 1, $myParams['path'] ); // note that sadly, php doesn't let you just do this in one line: // setcookie( session_name(), '', 1, session_get_cookie_params()['path'] ); // Syntax error!
IMPORTANT: If your session allows access to any secure information (for instance, once a user successfully types a password, you set $_SESSION['loggedIn'] = true), you want to be sure that no eavesdropper is (or was) able to ever see what the session-cookie's value is. Since cookies are sent by the client, we need to make sure the session-cookie is tagged as secure.
But we don't create that cookie ourselves! We'd just called session_start, which takes no parameters. Alas, we have to set a preference before setting cookies:
php_ini('session.cookie_secure',true) |
Remember that sessions (and, cookies) span multiple windows/frames within the same browser.
Imagine:
Btw, I don't think that cookies (and hence sessions) get shared between different computers1, but it's conceivable that Chrome might allow sync’ing of cookies. Certainly, I personally synchronize my files between two different computers (which includes stored cookies).
This means that if you have javascript which stores info client-side in files, your application should be robust against that file seeming to “disappear” halfway through a session. (Really, you should be somewhat robust against this regardless.)
Gotcha: session_start() puts a write-lock on the session file, so any other process trying to access it will block. (In particular: that 'other process' might be yourself, via an included-file which is also doing a session_start()!) One possible workaround (and good practice regardless): As soon as you've completed any/all updates to $_SESSION values, call session_commit. This writes and closes the data file, although it doesn't unset data in memory so you can still refer to $_SESSION. (Just remember that any later changes made to the array are no longer being committed, and because you've given up the lock others might be updating the file w/o you seeing any changes. You can apparently call session_commit again later, though presumably if some other process is accessing the file it may block and then it will overwrite the other file's changes.)
In fact, it's conceivable that two different browsers might share cookies — e.g. imagine if Firefox and Mozilla intentionally used the same directory to store cookie-info. So your server-side code shouldn't really care/notice if the user manages to “migrate” a session from one browser to another; your server probably shouldn't store (say) the browser-type in $_SESSION, nor any other browser-specific info (at least, not info that it takes too seriously).
Besides, in this example about browser-type, you wouldn't want to store that as session info, but instead just use the http header's User-Agent field. Your PHP code can retrieve that information through the superglobal $_SERVER.
↩This page licensed CC-BY 4.0 Ian Barland Page last generated | Please mail any suggestions (incl. typos, broken links) to ibarlandradford.edu |