Sessions and cookies MIS 3501, Spring 2016 Jeremy Shafer Department of MIS Fox School of Business Temple University 4/12/2016

MySQL Weeks 6 & 7 HTML & CSS Weeks 1 & 2 PHP Weeks 3 – 5 PDO Week Course Overview To do: Organize your code with MVC (week 12) Work with forms (week 13) Use cookies and sessions (week 14) We are here. Slide 2

Objectives Learning objectives for the week 1.Understand why HTML pages are referred to as “stateless” 2.Understand how cookies and sessions are used to preserve state, and the differences between cookies and sessions. 3.Understand the PHP commands used to manipulate sessions. 4.Understand the PHP commands used to direct a user to another page. Slide 3

Preserving State Slide 4

This is why we say HTML is “stateless”. There’s nothing implicit in browsers treatment of HTML that “remembers” the pages that were returned previously. HTML pages are, by design, intended to work over an intermittent network connection. Why managing state is difficult with HTTP Slide 5

Choices for managing state We are going to talk about sessions … and in a way that’s a little backwards, because cookies came first. But sessions are generally better / more secure / more useful and easier to work with. In the next slides we will compare these two mechanisms…. Cookies Sessions Slide 6

How cookies work Slide 7

How sessions work Slide 8

Slide 9

Preserving State Let’s try this example… Suggestion Box Slide 10 There should be a “public facing” aspect of our suggestion box application. It is for regular employees. It allows for anonymous submission of suggestions. But there is also a report that only management should see. We need to know the state of a session variable we’ll call “LOGGED_IN” on report.php. Either the user logged in OK or did not.

Mechanics …how is this accomplished? Things we need to know how to do: 1.Let specific PHP pages know that we intend to use sessions 2.Put a value into the $_SESSION[] array on successful login. 3.For protected content, check to see if that $SESSION[] variable exists. Take appropriate action if it does (or does not) exist. 4.Destroy the session when we are done. (#4 is trickier than you might think) Slide 11

The session_start() function Easy, right?! Just remember this one fact … you need to use the session_start() function on each page where you intend to use session data. You also have the option of changing the default behavior of the cookie with this function. You don’t typically need to do this. Slide 12

The $_SESSION array This convention should remind you of working with $_POST and $_GET. It should because $_POST, $_GET and $_SESSION are all superglobals. What’s a superglobal? An superglobal is just an array that the PHP Interpreter gives you “for free” - that is you don’t need to declare it or control it’s behavior. Remember… When the session_start() function is called, PHP either initializes a new $_SESSION superglobal or retrieves any variables for into the $_SESSION superglobal Slide 13

Killing the session PHP gives us the function session_destroy() The session_destroy() function destroys all of the data associated with the current session. But … it does not: 1.unset any of the global variables associated with the session 2.unset the session cookie on the browser Slide 14

A complete logout script – logout.php Slide 15 <?php // Initialize the session... Yes, this is the session we want to destroy. session_start(); // Unset all of the session variables. The session array is assigned to an empty array $_SESSION = array(); // Now... the tricky part... kill the cookie on the browser // Delete the cookie for the session $name = session_name(); // Get name of the session cookie $expire = strtotime('-1 year'); // Create expiration date in the past $setcookie($name, null, $expire); // set the cookie value to null, and expire it // Finally, destroy the session. session_destroy(); // All done with the session. Direct the user back to a landing page. header('Location:../index.php'); ?>

This process of directing the user from one page to another implies that we have some command(s) for doing just that sort of thing. We may want to direct the user to one page or another depending on the state of the application. This sort of conditional operation implies that …. We’re talking about conditional statements in the controller. Directing the user to different pages Slide 16

Directing the user to different pages (2) Slide 17 We have already seen controllers that use include and exit commands to reference different views. But… what if I want to jump the user to an entirely different application?

Directing the user to different pages (3) Slide 18 For that, we will use a different command! The header command has this syntax: header('Location: url-goes-here'); exit();

Directing the user to different pages (4) Slide 19 Technically, this is a bit of an oversimplification… but it is a good rule of thumb. Use include and exit within an application folder. Use header and exit to bounce the user from one application folder to another.

Let’s try it. As they say in show business… Slide 20