Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions

Open Source Server Side Scripting 2 ECA 236 HTTP  stateless  every single HTML page is separate from all others  no way to track individual users  no way to retain variables  one limited solution  append information to the end of a url  hidden form fields  a better solution  PHP cookies and sessions … href = “process_form.php?author=Mishka” …

Open Source Server Side Scripting 3 ECA 236 basic session functionality  track sessions using the superglobal $_SESSION  sessions driven by unique session ID  encrypted random number  stored on client side  stored as cookie or part of URL  allows tracking of session variables  stored on server  available to any page using session ID ca907cf7e881d1693b9d36518b4b3f3d

Open Source Server Side Scripting 4 ECA 236 cookies  what cookies are  text file  stored on visitor’s hard drive  contains textual information which can be retrieved and used in subsequent pages or visits  can be turned off by a user  what cookies are not  executable scripts  able to search a user’s hard drive for sensitive information

Open Source Server Side Scripting 5 ECA 236 cookies cont …  working with cookies  to test for their presence  view file structure of hard drive  open coolie in a text editor  change cookie settings in browser to prompt user before accepting any cookie  IE >Tools -> Internet Options >Security or Advance tab >choose to be prompted before accepting a cookie

Open Source Server Side Scripting 6 ECA 236 cookies cont …  cookies must be sent before any other data is sent from the server to the client  setcookie( ) function  one required parameter, the name of the cookie  five optional parameters  value  expire  path  domain  secure

Open Source Server Side Scripting 7 ECA 236 cookies cont …  syntax  this cookie is named myname, and contains the value Bob  do not use spaces, punctuation when naming a cookie  cookie name is case sensitive  this cookie is temporary, lasting only as long as the user’s browser remains open  cookies are limited to 4KB in size  browsers will accept no more than 20 cookies from any server setcookie( ‘name’, ‘value’, expire, ‘path’, ‘domain’, secure ); setcookie( ‘myname’, ‘Bob’ );

Open Source Server Side Scripting 8 ECA 236 cookies cont …  additional parameters  expiration date  sets length of time for cookie to exist  specified in seconds from Unix Epoch  if not set, cookie will persist until browser is closed  integer value, so it is not quoted  time( ) function returns seconds from Epoch setcookie( ‘name’, ‘value’, expire, ‘path’, ‘domain’, secure ); setcookie( ‘name’, ‘value’, time( ) );

Open Source Server Side Scripting 9 ECA 236 cookies cont …  additional parameters  path and domain  used to limit a cookie to a specific folder in a specific website  for example, to specify a cookie to be accessible only from a particular folder setcookie( ‘name’, ‘value’, expire, ‘path’, ‘domain’, secure ); setcookie( ‘name’, ‘value’, time( ) , ‘/my_folder/’ );

Open Source Server Side Scripting 10 ECA 236 cookies cont …  additional parameters  secure  integer value, so it is not quoted  if on, requires that a cookie be sent over a secure setting > 1 secure connection is required > 0 regular connection is sufficient  all parameters must be included  to skip one, use NULL or empty string setcookie( ‘name’, ‘value’, expire, ‘path’, ‘domain’, secure ); setcookie( ‘name’, ‘value’, time( ) , ‘ ‘, ‘ ‘, 1 );

Open Source Server Side Scripting 11 ECA 236 deleting cookies  a cookie will expire  when expiration date is reached  when browser is closed if not expiration date included  to delete cookies manually  send cookie of same name with no value  added precaution, set expiration to time in past setcookie( ‘name’ ); setcookie( ‘name’, ‘ ‘, time( ) – 300 );

Open Source Server Side Scripting 12 ECA 236 accessing cookie values  $_COOKIE  use appropriate cookie name as key  check for presence of cookie with isset( ) $x = $_COOKIE[ ‘cookie_name’ ]; if( !isset( $_COOKIE[ ‘username’ ] ) ) { header( “Location : // redirect to another page } else { // load this page }

Open Source Server Side Scripting 13 ECA 236 cookie example  To use a cookie with a log-in script  display HTML form asking user for her username and password  validate user input to make sure neither field is empty  query database for username and password  if they exist, write necessary cookies, redirect to new page  subsequent pages access cookie values

Open Source Server Side Scripting 14 ECA 236 sessions  sessions are designed to store data on server and client  designed to work with cookies, but will still work without them  4 steps to using sessions  start a session  register session variables  access and use session variables  unset session variables and destroy session

Open Source Server Side Scripting 15 ECA 236 start a session  session_start( )  begin a new session  or access current session  creates a unique session ID  cryptographically created random number  32 hexadecimal values a558b9ac9105eda1432bb254dfa3fe18

Open Source Server Side Scripting 16 ECA 236 start a session cont …  by default, session ID is stored in a cookie  PHPSESSID  session_start( ) must be called before any other data is sent to the browser  if cookies are turned off, we can still use sessions  process is not automatic

Open Source Server Side Scripting 17 ECA 236 session ID  can be passed appended to URL  is stored in a constant named SID  append to URL in header function  embed in links header( “Location: $_SERVER[ ‘HTTP-HOST’ ]. dirname( $_SERVER[ ‘PHP_SELF’ ] ). “file_name.php?”. SID ); echo ‘ page 2 ’;

Open Source Server Side Scripting 18 ECA 236 register session variables  $_SESSION  to access values from a database using mysql_fetch_array( )  sessions can store objects and arrays as well $_SESSION[ ‘first_name’ ] = “Bob”; $_SESSION[ ‘first_name’ ] = $row[ 'first_name' ]; $_SESSION[ ‘last_name’ ] = $row[ ‘last_name' ]; $_SESSION[ ‘username’ ] = $row[ ‘username’ ];

Open Source Server Side Scripting 19 ECA 236 accessing session variables  to access session variables on subsequent pages  reference the current session with session_start( )  use $_SESSION  to test that a variable is registered to the session, use isset( ) $first_name = $_SESSION[ ‘first_name’ ] ;

Open Source Server Side Scripting 20 ECA 236 deleting session variables  delete session variables once the user logs out  unset( )  use to delete individual session variables  to delete every session variable, set $_SESSION array to empty array unset( $_SESSION[ ‘variable_name’ ]; $_SESSION = array( );

Open Source Server Side Scripting 21 ECA 236 destroy session  once the user is finished with a session, end the session  session_destroy( )  destroys the session and the session ID  does not unset any of the session variables  does not unset session cookie

Open Source Server Side Scripting 22 ECA 236 session example  To use a session with a log-in script  start a session with session_start( )  display HTML form asking user for her username and password  validate user input to make sure neither field is empty  query database for username and password  if they exist, register session variables, redirect user to appropriate page  to access session variables, subsequent pages must call session_start( )

Open Source Server Side Scripting 23 ECA 236 session handling functions  changing session configuration settings  session name  cookie lifetime  session maxlife  etc  PHP Manual  XCV. Session Handling Functions