Nikolay Kostov Telerik Corporation

 HTTP headers  Output buffer control  Browser cache  Redirecting the browser

 Each HTTP request and response contains of headers and body  Headers describe the transferred data  Type  Length  Encoding  Etc.  PHP can modify the response headers  header function

 header($header, $replace, $response_code)  Adds or modifies HTTP header of the response  $header is string in the following form  Name: Value  $replace sets whether to replace existing similar header with the same name or add it  $response_code sets the HTTP response code (e.g. 302, 404, etc.)

 Redirect the Web browser  Set multiple headers with one name  Example: force browser to require HTTP authentication  Example: page inaccessible header ("Location: header ("WWW-Authenticate: Negotiate"); header ('WWW-Authenticate: Basic realm="Secure Area"', false); header ("WWW-Authenticate: Negotiate"); header ('WWW-Authenticate: Basic realm="Secure Area"', false); header ("HTTP/ Not Found"); // or maybe header ("HTTP/ Forbidden"); header ("HTTP/ Not Found"); // or maybe header ("HTTP/ Forbidden");

 Example: Page receives get parameter "down" that is some MP3 file ID in directory (MP3DIR constant)  This script will either send 404 error on request or will return the MP3 file for download $file = MP3DIR.$_GET['down'].".mp3"; if (!file_exists($file)) header ("HTTP/ Not Found",true,404); header ("HTTP/ Not Found",true,404); else { header ('Content-Type: audio/x-mp3'); header ('Content-Type: audio/x-mp3'); header ('Content-Length: '. header ('Content-Length: '.filesize($file)); header('Content-Disposition: attachment; '. 'filename='.$_GET['down'].'.mp3'); header('Content-Disposition: attachment; '. 'filename='.$_GET['down'].'.mp3'); echo file_get_contents($file); echo file_get_contents($file);} $file = MP3DIR.$_GET['down'].".mp3"; if (!file_exists($file)) header ("HTTP/ Not Found",true,404); header ("HTTP/ Not Found",true,404); else { header ('Content-Type: audio/x-mp3'); header ('Content-Type: audio/x-mp3'); header ('Content-Length: '. header ('Content-Length: '.filesize($file)); header('Content-Disposition: attachment; '. 'filename='.$_GET['down'].'.mp3'); header('Content-Disposition: attachment; '. 'filename='.$_GET['down'].'.mp3'); echo file_get_contents($file); echo file_get_contents($file);}

 Browser cache resources, downloaded over network  On next request they use the headers to detect if they should re-download or reuse the cached resource  Resources carry set of headers to control the browser caching  Expires header, Last-Modified, If-Modified-Since header  ETag, If-None-Match  Cache-Control

 HTTP Request Example:  HTTP Response Example: GET /index.html HTTP/1.0 User-Agent: Mozilla/5.0 From: something.somewhere.net Accept: text/html,text/plain,application/* Host: If-Modified-Since: Wed, 19 Oct :50:00 GMT GET /index.html HTTP/1.0 User-Agent: Mozilla/5.0 From: something.somewhere.net Accept: text/html,text/plain,application/* Host: If-Modified-Since: Wed, 19 Oct :50:00 GMT HTTP/ Not Modified Date: Fri, 31 Dec :59:59 GMT HTTP/ Not Modified Date: Fri, 31 Dec :59:59 GMT

 Server sends Last-Modified and Expires dates in response for the resource  Tells the browser how long the resource should be kept as current version  Both in GMT format  Browser sends If-Modified-Since header on each request with the date of the resource it has cached  If version is latest, server replies with "303 Not Modified" HTTP code

 ETag is unique identifier for the resource and its version  Sent by the server, stored by the browser  Browser sends on next request the ETag of the cached version  Sends the ETag in If-None-Match header  Newer approach  Most web servers send both Last-Modified and ETag headers

 Server can send Cache-Control header that instruct the browser cache engine  Value consists of comma separated name=value pairs or only names  max-age=seconds – sets maximum time that version should be considered fresh  s-maxage=seconds – same as max-age but applies to proxies  public – marks headers of response as cacheable

 no-cache – instructs revalidation to be required on next request  Usually performed as HEAD request  no-store – instructs not to store version of the resource under any circumstances  must-revalidate – tells cache engines they must obey and freshness information you give them  Some caches load older version under some circumstances  proxy-revalidate – similar to must-revalidate but applies to proxies

Disable Browser Cache - Example header('Cache-Control: no-cache'); header('Pragma: no-cache'); header("Expires: 0"); header('Cache-Control: no-cache'); header('Pragma: no-cache'); header("Expires: 0");

 The Web server (Apache) buffers the script output  Sends it automatically if there is enough data to send (buffer is full)  Buffer can be controlled  Multiple buffers can be defined and flushed, canceled or stored  Allows reordering of the output data  Example – first run script that generates page body, then print head  Example – first print output, then send headers

 Functions for buffer control are prefixed with ob_ in PHP  ob_start ($callback, $chunk, $erase) – starts new buffer  After this function is called no output is sent to the browser, except headers  Output buffers are stackable  Can call second ob_start while another is active

 All parameters are optional  $callback is function name to call when buffer is flushed  This function can modify the data to be sent  Receives one parameter – the data in the buffer  Must return string – the data to be sent  If $chunk is specified, buffer will flush if stored data reaches this size  Value of 0 means no automatic flush  Value of 1 sets $chunk to 4096  $erase sets whether the buffer should not be deleted until script ends

 ob_flush – sends the buffer content and erases all stored data  Keeps the buffer active  ob_end_flush – similar to ob_flush but destroys the buffer  ob_implicit_flush ($mode) – sets implicit flush on or off  $mode is optional boolean, defaults to true  With implicit flush, all writing to the buffer is automatically sent

 ob_get_contents – returns the content of the current buffer as string  Doesn't clear or stop the buffer  ob_get_clean – returns the buffer content and deletes it  ob_get_flush – returns the buffer content, flushes it and deletes it

 ob_clean – erases the data in the output buffer but does not delete the buffer  ob_end_clean – cleans the output buffer data and deletes the buffer  ob_end_flush – flushes the output buffer and deletes it

Questions?

Exercises Create pages login.php and main.php and implement the following logic:   The login.php displays login form (username/password)   If successfully authenticated, the user is redirected to the main.php   Otherwise an error message is shown and the login form is displayed again   If main.php is requested and the user is not logged in, it redirects to login.php   Implement also “Logout” functionality