Sessions and cookies MIS 3501 Jeremy Shafer Department of MIS Fox School of Business Temple University

Course Overview We are here!!! To do: MySQL 2 Weeks HTML & CSS 2 Weeks PHP 3 Weeks PDO 2 weeks To do: Organize your code with MVC (1 week) Work with forms (1 week) Use cookies and sessions (1 week) We are here!!!

Objectives Learning objectives for the week Understand why HTML pages are referred to as “stateless” Understand how cookies and sessions are used to preserve state, and the differences between cookies and sessions. Understand the PHP commands used to manipulate sessions. Understand the PHP commands used to direct a user to another page.

Preserving State

Why managing state is difficult with HTTP This is why we say HTML is “stateless”. There’s nothing implicit in browsers treatment of HTML that “remembers” the pages that were returned previously. HTML pages are, by design, intended to work over an intermittent network connection.

Choices for managing state Cookies We are going to talk about sessions … and in a way that’s a little backwards, because cookies came first. But sessions are generally better / more secure / more useful and easier to work with. In the next slides we will compare these two mechanisms…. Sessions

How cookies work

How sessions work

Let’s try this example… Preserving State Let’s try this example… There should be a “public facing” aspect of our suggestion box application. It is for regular employees. It allows for anonymous submission of suggestions. But there is also a report that only management should see. We need to know the state of a session variable we’ll call “LOGGED_IN” on report.php. Either the user logged in OK or did not. Suggestion Box

Mechanics …how is this accomplished? Things we need to know how to do: Let specific PHP pages know that we intend to use sessions Put a value into the $_SESSION[] array on successful login. For protected content, check to see if that $SESSION[] variable exists. Take appropriate action if it does (or does not) exist. Destroy the session when we are done. (#4 is trickier than you might think)

The session_start() function Easy, right?! Just remember this one fact … you need to use the session_start() function on each page where you intend to use session data. You also have the option of changing the default behavior of the cookie with this function. You don’t typically need to do this.

The $_SESSION array What’s a superglobal? An superglobal is just an array that the PHP Interpreter gives you “for free” - that is you don’t need to declare it or control it’s behavior. Remember… When the session_start() function is called, PHP either initializes a new $_SESSION superglobal or retrieves any variables for into the $_SESSION superglobal This convention should remind you of working with $_POST and $_GET. It should because $_POST, $_GET and $_SESSION are all superglobals.

Killing the session PHP gives us the function session_destroy() The session_destroy() function destroys all of the data associated with the current session. But … it does not: unset any of the global variables associated with the session unset the session cookie on the browser

A complete logout script – logout.php // Initialize the session... Yes, this is the session we want to destroy. session_start(); // Unset all of the session variables. The session array is assigned to an empty array $_SESSION = array(); // Now... the tricky part... kill the cookie on the browser // Delete the cookie for the session $name = session_name(); // Get name of the session cookie $expire = strtotime('-1 year'); // Create expiration date in the past $setcookie($name, null, $expire); // set the cookie value to null, and expire it // Finally, destroy the session. session_destroy(); // All done with the session. Direct the user back to a landing page. header('Location: ../index.php'); ?> FYI: I will always give you this code.

Directing the user to different pages This process of directing the user from one page to another implies that we have some command(s) for doing just that sort of thing. We may want to direct the user to one page or another depending on the state of the application. This sort of conditional operation implies that …. We’re talking about conditional statements in the controller.

Directing the user to different pages (2) We have already seen controllers that use include and exit commands to reference different views. But… what if I want to jump the user to an entirely different application?

Directing the user to different pages (3) For that, we will use a different command! The header command has this syntax: header('Location: url-goes-here'); exit();

Directing the user to different pages (4) Technically, this is a bit of an oversimplification… but it is a good rule of thumb. Use include and exit within an application folder. Use header and exit to bounce the user from one application folder to another.

Let’s try it. As they say in show business…