Cookies and Sessions Cookies are useful for storing user info that should be retained from one page to the next. (Overcome the ‘stateless’ nature of the web) Cookies are written to the client’s hard drive. Problems: –User can disable cookies in the browser –Cookies may be viewed by other users –Can only store 20 cookies; max 4KB. –Some browsers may display incorrectly unless all options are set in setcookie() (eg expiration time, path) –C:\documents and

Creating a cookie setcookie(name,value,expiration); –Eg, setcookie(“fruit”,”banana”,time()+3600); The cookie is called ‘fruit’ and has a value of ‘banana’; it will expire 1 hr from now. –Eg. setcookie(“username”,”jceddia”,time()+1800); Cookie values are sent as part of the HTTP headers (transparent to user). No output should be sent to the browser (echo etc) until the cookie is set else cookie will not be set.

Accessing A Cookie Once created,cookie values are automatically available to PHP scripts as a variable having the same name as the cookie. –Eg. echo “the current user is $username”; Php associative array HTTP_COOKIE_VARS contain the value of every current cookie Foreach ($HTTP_COOKIE_VARS as $name =>$value) echo “ $name => $value”;

Cookie examples <?php // set an individual cookie $value = 'something from somewhere'; setcookie ("TestCookie", $value); setcookie ("TestCookie", $value,time()+3600); /* expire in 1 hour */ setcookie ("TestCookie", $value,time()+3600, "/~rasmus/", ".example.com", 1); ?> <?php // Print an individual cookie echo $_COOKIE["TestCookie"]; echo $HTTP_COOKIE_VARS["TestCookie"]; ?>

Deleting a Cookie Automatically deleted after expiration time Can manually delete by setting negative time setcookie(“username”,””,time()-3600); Other cookie options setcookie( name,value,expire,path,domain,secure ) path=which scripts have access to cookie values?. By default, any script in the current server directory downward have access. Parent directory doesn’t.

Other cookie options domain = by default, a cookie is only available to scripts on the current web server. Specify a domain name for other servers. NOTE that some browsers need at least two dots in the domain name (Netscape). secure = how cookies are sent. 1 = https (secure connection) 0 = http (normal connection) php has Mcrypt functions. Eg. setcookie(“username”,”jceddia”,time()+3600,”/webroot”, ”

Redirection Once login data is captured/validated then want to go to a new page. Header(“Location: URL”); header("Location: p-6-2.html"); General technique: –Site start page = login page –Login page validates user and set cookies –Redirect to new page –New page uses cookie data to access DB info

Sessions What if user disables cookies? Need to store data on the server. This is done in session variables. A session variable is a regular global variable that, when registered as a session variable, keeps its value on all pages that use PHP4 sessions. To register a session variable: – assign a value to a variable that is to become a session variable $mysessvar = “somevalue” –and call session_register(“mysessvar"). –On all subsequent pages that use sessions (by calling session_start()), the variable mysessvar will have the value assigned to it.

Session cont. –A visitor accessing your web site is assigned an unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. –The session support allows you to register arbitrary numbers of variables to be preserved across requests. When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start() or implicitly through session_register()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated. –All registered variables are serialized after the request finishes. Registered variables which are undefined are marked as being not defined. On subsequent accesses, these are not defined by the session module unless the user defines them later.

–The track_vars and register_globals configuration settings influence how the session variables get stored and restored.track_varsregister_globals –Note: As of PHP 4.0.3, track_vars is always turned on.track_vars –Note: As of PHP 4.1.0, $_SESSION is available as global variable just like $_POST, $_GET, $_REQUEST and so on. Not like $HTTP_SESSION_VARS, $_SESSION is always global. Therefore, global should not be used for $_SESSION. –If register_globals is enabled, then all global variables can be registered as session variables and the session variables will be restored to corresponding global variables. Since PHP must know which global variables are registered as session variables, users must register variables with session_register() function while $HTTP_SESSION_VARS/$_SESSION do not need to use session_register(). –See php manual for further explanation of track_vars and register_globalsphp manual

Example 1. Registering a variable with track_vars enabled <?php if (isset($HTTP_SESSION_VARS['count'])) { $HTTP_SESSION_VARS['count']++; } else { $HTTP_SESSION_VARS['count'] = 0; } ?> Use of $_SESSION (or $HTTP_SESSION_VARS with PHP or less) is recommended for security and code readablity. Disabling register_globals is recommended for both security and performance reason.

–With $_SESSION or $HTTP_SESSION_VARS, there is no need to use session_register() or session_unregister() or session_is_registered() functions. Users can access session variables like a normal variables. –Example 2. Registering a variable with $_SESSION. <?php // Use $HTTP_SESSION_VARS with PHP or less if (!isset($_SESSION['count'])) { $_SESSION['count'] = 0; } else { $_SESSION['count']++; } ?>

Example 3. Unregistering a variable with $_SESSION. <?php // Use $HTTP_SESSION_VARS with PHP or less unset($_SESSION['count']); ?>

Session Ids. There are two methods to propagate a session id: – Cookies – URL parameter –The session module supports both methods. Cookies are optimal, but since they are not reliable (clients are not bound to accept them), we cannot rely on them. The second method embeds the session id directly into URLs. – PHP is capable of doing this transparently when compiled with --enable-trans-sid. If you enable this option, relative URIs will be changed to contain the session id automatically. Alternatively, you can use the constant SID which is defined, if the client did not send the appropriate cookie. SID is either of the form session_name=session_id or is an empty string.

Sid’s –The following example demonstrates how to register a variable, and how to link correctly to another page using SID. Example 5. Counting the number of hits of a single user <?php if (!session_is_registered('count')) { session_register('count'); $count = 1; } else { $count++; } ?> Hello visitor, you have seen this page times. ;

Sid’s cont. <?php # the ( can be used if short tag is enabled) # is necessary to preserve the session id # in the case that the user has disabled cookies ?> To continue, ">click here The is not necessary, if --enable-trans- sid was used to compile PHP. Note: Non-relative URLs are assumed to point to external sites and hence don't append the SID, as it would be a security risk to leak the SID to a different server.

Session functions –session_start -- Initialize session data –session_destroy -- Destroys all data registered to a session –session_name -- Get and/or set the current session name –session_module_name -- Get and/or set the current session module –session_save_path -- Get and/or set the current session save path –session_id -- Get and/or set the current session id –session_register -- Register one or more variables with the current session –session_unregister -- Unregister a variable from the current session –session_unset -- Free all session variables –session_is_registered -- Find out if a variable is registered in a session –session_get_cookie_params -- Get the session cookie parameters –session_set_cookie_params -- Set the session cookie parameters –session_decode -- Decodes session data from a string –session_encode -- Encodes the current session data as a string –session_set_save_handler -- Sets user-level session storage functions –session_cache_limiter -- Get and/or set the current cache limiter –session_cache_expire -- Return current cache expire –session_write_close -- Write session data and end session

Session_start() All pages that uses PHP4 sessions must call the function session_start() to tell the PHP4 engine to load session related information into memory. The session_start() function tries to find the session id in the cookie field or the request parameters for the current HTTP request. If it cannot find the session id, a new session is created.

Session_register() The first example (page1.php): <?php session_start(); $my_session_variable = "some value"; session_register("my_session_variable"); ?> //may also use $_SESSION[‘my_session_var'] = “somevalue”;

–What this does is that it registers the variable my_session_variable as a session variable. This means that the variable will be alive (keep it's value) across page-accesses, as long as you call the session_start() function on all pages that need access to the my_session_variable variable. Example 2 (page2.php): <?php session_start(); print "Value of 'my_session_variable': $my_session_variable"; ?>

Using session variables for authentication in conjunction with a database. Create a login-page gives the user a userid and password form and posts to another PHP page (this example uses mysql): <?php session_start(); if ($userid && $password) { $res = mysql_query("SELECT userid FROM users WHERE userid='$userid' AND password='$password'"); if(mysql_num_rows($res) != 0) { $verified_user = $userid; session_register("verified_user"); } Header("Location: your_main_page.php"); ?> Now, on 'your_main_page.php', you call session_start() and then you can check the verified_user variable to see if the user has been authenticated (and who he is). Other uses for session variables, easing database load by caching certain values in the session rather than reading them from the database on each page access.

Example 2 – register user –Just to make explicit what probably others have already figured out from the documentation, only global variables can be stored in the session. Any variable that you manipulate in a function must be declared global if you want to store it in the session, and any session variable that you need access to must be declared global. For example, session_start(); function confirmUserLogin ($postLoginUrl) // Function to check login { // To get access to this session var, I must declare it global. global $session_userID; if (!IsSet($session_userID)) { session_register('session_post_login_page'); // To set this session var, I must declare it global. global $session_post_login_page; $session_post_login_page = $postLoginUrl; redirect("/login/"); } }

Destroying a session <?php // Initialize the session. session_start(); // Unset all of the session variables. session_unset(); // Finally, destroy the session. session_destroy(); ?>

Destroying a session - $_SESSION <?php // Initialize the session. session_start(); // Unset all of the session variables. $_SESSION = array(); // Finally, destroy the session. session_destroy(); ?> ** See example by Christopher Fryer.

Templates Templates allow the separation of php code from html Useful on large sites where graphic designers manipulate html and php programmers write code Sample Template The answer to today’s question is {ANSWER}. {ANSWER} is a template variable which is ‘evaluated’ when the page is fetched

To Use Templates - do Create a template file Create a php script that fills in the template by 1.Instantiate a template object (template.inc) 2.Associate a template variable with the template file (.tpl extension) 3.Assign values to template variables ( 4.Parse the template variable associated with the template file 5.Print the value of the template containing the result.

Template Example. Assume that there is a template in the /home/mydir/mytemplates/ named MyTemplate.tpl that has some text that reads something like this: Congratulations! You won a new {some_color} Book! "{some_color}" has curly braces around it. The curly braces indicate that some_color is a template variable. A PHP script that will load the template, insert the value of the PHP variable $my_color where the {some_color} template variable tag is, and then output the new text. If $my_color happens to be set to "blue", the final output should look like: Congratulations! You won a new blue Book!

Template Example cont. <?php include "template.inc"; $my_color = "blue"; // we'll use this later $t = new Template("/home/mydir/mytemplates/"); // create a template object named $t $t->set_file("MyFileHandle","MyTemplate.tpl"); // set MyFileHandle = our template file $t->set_var("some_color",$my_color); // set template variable some_color = $my_color value $t->parse("MyOutput","MyFileHandle"); // set template variable MyOutput = parsed file $t->p("MyOutput"); // output the value of MyOutput (our parsed data) ?>

Template Example cont. NOTE: The path ("/home/mydir/mytemplates/") in the Template constructor call sets the root path where your templates are located, but if you leave it out it defaults to the same directory as your PHP script. Nothing is output to the web server until p("MyOutput") is called, which outputs the final parsed text.

Nested Templates A feature of the parse() function is that the MyOutput handle that it created is actually a template variable, just as {some_color} is a template variable. So if you have another template with a {MyOutput} tag, when you parse that second template, all of the {MyOutput} tags will be replaced with the parsed text from MyOutput. This lets you embed the text of one template file into another template. So, we could have another template called wholePage.tpl that contains the text: Sorry you didn't win. But if you had won, we would have told you: {MyOutput} And after wholePage.tpl is parsed, the final output would be: Sorry you didn't win. But if you had won, we would have told you: Congratulations! You won a new blue Book!

Nested template example <?php $t = new Template("/home/mydir/mytemplates/"); // These three lines are the same as the first example: $t->set_file("MyFileHandle","MyTemplate.tpl"); $t->set_var("some_color",$my_color); $t->parse("MyOutput","MyFileHandle"); // (Note that we don't call p() //here, so nothing gets output yet.) // Now parse a second template: $t->set_file("WholeHandle","wholePage.tpl"); // wholePage.ihtml has "{MyOutput}" in it $t->parse("MyFinalOutput","WholeHandle"); // All {MyOutput}'s get replaced $t->p("MyFinalOutput"); // output the value of MyFinalOutput ?>

Template Array parameters parse() and p() can be combined using the shorter function pparse() replacing the last two lines with The functions set_file() and set_var() can also accept multiple sets of values at a time by passing an array of handle/value pairs. Here are examples: <?php $t->set_file(array( "pageOneHandle" => "pageone.tpl", "pageTwoHandle" => "pagetwo.tpl")); $t->set_var(array( "last_name" => "Gates", "first_name" => "Bill", "net_worth" => $reallybignumber)); ?>

Appending Template Text A third parameter that you can pass to parse() and pparse() if you want to append data to the template variable rather than overwrite it. Simply call parse() or pparse() with the third parameter as true, such as parse("MyOutput","MyFileHandle", true); ?> If MyOutput already contains data, MyFileHandle will be parsed and appended onto the existing data in MyOutput. This technique is useful if you have a template where you want the same text to be repeated multiple times, such as listing multiple rows of results from a database query.

Example <?php $t = new Template("/home/mydir/mytemplates/"); $t->set_file(array( "mainpage" => "mainpage.tpl", "each_element" => "each_element.tpl")); reset($myArray); while (list($elementName, $elementValue) = each($myArray)) { // Set 'value' and 'name' to each element's value and name: $t->set_var("name",$elementName); $t->set_var("value",$elementValue); // Append copies of each_element: $t->parse("array_elements","each_element",true); } $t->pparse("output","mainpage"); ?>

Example cont. This example uses two templates, mainpage.tpl and each_element.tpl. The mainpage.tpl template could look something like this: Here is the array: {array_elements} The {array_elements} tag above will be replaced with copies of each_element.tpl, which is repeated for each element of the array ($myArray). The each_element.tpl template might look like this: {name}: {value} The result is a formatted table of the elements of $myArray.

Constructing a complete web site A typical web page includes elements such as: –Headers : appear at the top of the page –Navigation bar : below the header or on LHS of page –Content : in the center of the page –Footers : at the bottom of the page For consistency across the whole site it is usual to create a template that ‘describes’ each element and an additional template file describing the way these elements are combined.

Example - Std.tpl {title} {header} {leftnav} {content}

Example - header.tpl The Generic Web Site

Example - leftnav.tpl Home Function 1 Function 2 Logout

Example - index.tpl Welcome to the {title}! This is where you'll find information about absolutely nothing. We're so sure you won't find anything of interest here, we'll pay you if you can show us we're wrong.

Example - index.php <?php include 'template.inc'; $tpl = new Template('.'); //assume the templates are in the current directory $tpl->set_file(array('std' =>'std.tpl', 'header' =>'header.tpl', 'leftnav'=>'leftnav.tpl', 'content'=>'index.tpl')); $tpl->set_var('title', 'Generic Web Site'); $tpl->parse('header', 'header'); $tpl->parse('leftnav', 'leftnav'); $tpl->parse('content', 'content'); $tpl->parse('DUMMY', 'std'); $tpl->p('DUMMY'); ?>