Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cookies, Sessions, and Authentication Dr. Charles Severance www.php-intro.com.

Published byClaude Palmer Modified over 9 years ago

Similar presentations

Presentation on theme: "Cookies, Sessions, and Authentication Dr. Charles Severance www.php-intro.com."— Presentation transcript:

1 Cookies, Sessions, and Authentication Dr. Charles Severance www.php-intro.com

2 High Level Summary The web is “stateless” - the browser does not maintain a connection to the server while you are looking at a page. You may never come back to the same server - or it may be a long time - or it may be one second later So we need a way for servers to know “which browser is this?” In the browser state is stored in “Cookies” In the server state is stored in “Sessions”

3 Other Web sites always seem to know who you are!

4 Multi-User When a server is interacting with many different browsers at the same time, the server needs to know *which* browser a particular request came from Request / Response initially was stateless - all browsers looked identical - this was really really bad and did not last very long at all.

5 Web Cookies to the Rescue http://en.wikipedia.org/wiki/HTTP_cookie Technically, cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site.

6 http://en.wikipedia.org/wiki/HTTP_cookie

7 Cookies In the Browser Cookies are marked as to the web addresses they come from - the browser only sends back cookies that were originally set by the same web server Cookies have an expiration date - some last for years - others are short-term and go away as soon as the browser is closed

8

9

10 http://www.php-intro.com/code/sessions/sessfun.php In a fresh browser.

11

12 Sessions

13 In The Server - Sessions In most server applications, as soon as we meet a new browser - we create a session We set a session cookie to be stored in the browser which indicates the session id in use The creation and destruction of sessions is handled by a web framework or some utility code that we just use to manage the sessions

14 Session Identifier A large, random number that we place in a browser cookie the first time we encounter a browser. This number is used to pick from the many sessions that the server has active at any one time. Server software stores data in the session which it wants to have from one request to another from the same browser. Shopping cart or login information is stored in the session in the server

15 PHP Sessions

16 We can establish / initialize a PHP Session by calling session_start() before any output has come out If the user has cookies set, we can use the array $_SESSION to store data from one request to the next with a particular browser We have a bit of data that persists from one request to the next By default these are stored in a temporary folder on disk

17 (On a Mac) /Applications/MAMP/tmp/php

18 http://php.net/manual/en/function.session-start.php

19 http://php.net/manual/en/function.session-destroy.php

20 <?php // Note - cannot have any output before this session_start(); if ( ! isset($_SESSION['value']) ) { echo(" Session is empty \n"); $_SESSION['value'] = 0; } else if ( $_SESSION['value'] < 3 ) { $_SESSION['value'] = $_SESSION['value'] + 1; echo(" Added one... \n"); } else { session_destroy(); session_start(); echo(" Session Restarted \n"); } ?> Click Me! Our Session ID is: sessfun.php

21

22

23 POST / Redirect / GET Once you do a POST, if you do refresh, the browser will re-send the POST data a second time The user gets a popup that tries to explain what is about to happen

24 guess.php Press Refresh

25 No Double Posts Typically POST requests are adding or modifying data whilst GET requests view data It may be dangerous to do the same POST twice (say withdrawing funds from a bank account) So the browser insists on asking the user (out of your control) Kind of an ugly UX / bad usability

26 HTTP Location Header If your application has not yet sent any data, it can send a special header as part of the HTTP Response The redirect header includes a URL that the browser is supposed to forard itself to It was originally used for web sites that moved from one URL to another http://en.wikipedia.org/wiki/URL_redirection

27 http://php.net/manual/en/function.header.php <= Error

28 <?php session_start(); if ( isset($_POST['where']) ) { if ( $_POST['where'] == '1' ) { header("Location: redir1.php"); return; } else if ( $_POST['where'] == '2' ) { header("Location: redir2.php?parm=123"); return; } else { header("Location: http://www.dr-chuck.com"); return; } ?> I am Router Two... Where to go? (1-3) redir1.php

29

30 After we entered "2" and pressed "Submit" Two pages were retrieved

31 Second page

32 POST Redirect Rule The simple rule for pages intended for a browser is to never generate a page with HTML content when the app receives POST data Must redirect somewhere - even to the same script - forcing the browser to make a GET after the POST

33 guess.php <?php $guess = ''; $message = false; if ( isset($_POST['guess']) ) { // Trick for integer / numeric parameters $guess = $_POST['guess'] + 0; if ( $guess == 42 ) { $message = "Great job!"; } else if ( $guess < 42 ) { $message = "Too low"; } else { $message = "Too high..."; } ?> A Guessing game Guessing game... <?php if ( $message !== false ) { echo(" $message \n"); } ?> Input Guess <input type="text" name="guess" id="guess" size="40" <?php echo 'value="'. htmlentities($guess). '"'; ?> /> (Review)

34 <?php $guess = ''; $message = false; if ( isset($_POST['guess']) ) { // Trick for integer / numeric parameters $guess = $_POST['guess'] + 0; if ( $guess == 42 ) { $message = "Great job!"; } else if ( $guess < 42 ) { $message = "Too low"; } else { $message = "Too high..."; } ?> A Guessing game Guessing game... <?php if ( $message !== false ) { echo(" $message \n"); } ?> Input Guess <input type="text" name="guess" id="guess" size="40" <?php echo 'value="'. htmlentities($guess). '"'; ?> /> <?php $guess = ''; $message = false; if ( isset($_POST['guess']) ) { // Nifty trick $guess = $_POST['guess'] + 0; if ( $guess == 42 ) { $message = "Great job!"; } else if ( $guess < 42 ) { $message = "Too low"; } else { $message = "Too high..."; } ?>... guess.php (Review)

35 <?php $guess = ''; $message = false; if ( isset($_POST['guess']) ) { // Trick for integer / numeric parameters $guess = $_POST['guess'] + 0; if ( $guess == 42 ) { $message = "Great job!"; } else if ( $guess < 42 ) { $message = "Too low"; } else { $message = "Too high..."; } ?> A Guessing game Guessing game... <?php if ( $message !== false ) { echo(" $message \n"); } ?> Input Guess <input type="text" name="guess" id="guess" size="40" <?php echo 'value="'. htmlentities($guess). '"'; ?> />... ?> A Guessing game Guessing game... <?php if ( $message !== false ) { echo(" $message \n"); } ?> Input Guess <input type="text" name="guess" id="guess" size="40" <?php echo 'value="'. htmlentities($guess). '"'; ?> /> (Review)

36 <?php session_start(); if ( isset($_POST['guess']) ) { $guess = $_POST['guess'] + 0; $_SESSION['guess'] = $guess; if ( $guess == 42 ) { $_SESSION['message'] = "Great job!"; } else if ( $guess < 42 ) { $_SESSION['message'] = "Too low"; } else { $_SESSION['message'] = "Too high..."; } header("Location: guess2.php"); return; } ?> guess2.php (Improved)

37 A Guessing game <?php $guess = isset($_SESSION['guess']) ? $_SESSION['guess'] : ''; $message = isset($_SESSION['message']) ? $_SESSION['message'] : false; ?> Guessing game... <?php if ( $message !== false ) { echo(" $message \n"); } ?> Input Guess <input type="text" name="guess" id="guess" size="40" /> guess2.php

38 Enter "41" and press "Submit"

39 Press "Refresh"

40

41 Login / Logout Having a session is not the same as being logged in. Generally you have a session the instant you connect to a web site The Session ID cookie is set when the first page is delivered Login puts user information in the session (stored in the server) Logout removes user information from the session

42 http://www.php-intro.com/code/sessions/ Simple address book with session as storage.

43 <?php session_start(); if ( isset($_POST["account"]) && isset($_POST["pw"]) ) { unset($_SESSION["account"]); // Logout current user if ( $_POST['pw'] == 'umsi' ) { $_SESSION["account"] = $_POST["account"]; $_SESSION["success"] = "Logged in."; header( 'Location: index.php' ) ; return; } else { $_SESSION["error"] = "Incorrect password."; header( 'Location: login.php' ) ; return; } ?> login.php

44 ?> Please Log In <?php if ( isset($_SESSION["error"]) ) { echo(' Error:'. $_SESSION["error"]." \n"); unset($_SESSION["error"]); } ?> Account: Password: login.php

45 <?php session_start(); session_destroy(); header("Location: index.php"); logout.php

46 ?> Online Address Book <?php if ( isset($_SESSION["success"]) ) { echo(' '.$_SESSION["success"]." \n"); unset($_SESSION["success"]); } // Retrieve data from the session for the view $street = isset($_SESSION['street']) ? $_SESSION['street'] : ''; $city = isset($_SESSION['city']) ? $_SESSION['city'] : ''; $state = isset($_SESSION['state']) ? $_SESSION['state'] : ''; $zip = isset($_SESSION['zip']) ? $_SESSION['zip'] : ''; index.php

47 if ( ! isset($_SESSION["account"]) ) { ?> Please Log In to start. Please enter your address: Street: <input type="text" name="street" size="50" value=" "> City: <input type="text" name="city" size="20" value=" "> State: <input type="text" name="state" size="2" value=" "> Zip: <input type="text" name="zip" size="5" value=" "> <input type="button" value="Logout" onclick="location.href='logout.php'; return false"> index.php

48 <?php session_start(); if ( isset($_POST["street"]) && isset($_POST["city"]) && isset($_POST["state"]) && isset($_POST["zip"]) ) { $_SESSION['street'] = $_POST['street']; $_SESSION['city'] = $_POST['city']; $_SESSION['state'] = $_POST['state']; $_SESSION['zip'] = $_POST['zip']; header( 'Location: index.php' ); return; } ?> index.php

49 PHP Sessions Without Cookies For a simple application handling login, logout, and shopping cart like information, cookie sessions are sufficient But if an application needs to function within an iframe, or have more than one session active (i.e. multiple tabs to the same site) we cannot use session cookies PHP has nice support for maintaining a sessions without a cookie

50 nocookie.php

51 <?php // Tell PHP we won't be using cookies for the session ini_set('session.use_cookies', '0'); ini_set('session.use_only_cookies',0); ini_set('session.use_trans_sid',1); session_start(); // Start the view ?> No Cookies for You! nocookie.php

52 No Cookies for You! <?php if ( ! isset($_SESSION['value']) ) { echo(" Session is empty \n"); $_SESSION['value'] = 0; } else if ( $_SESSION['value'] < 3 ) { $_SESSION['value'] = $_SESSION['value'] + 1; echo(" Added one \$_SESSION['value']=".$_SESSION['value']. " \n"); } else { session_destroy(); session_start(); echo(" Session Restarted \n"); } ?> Click This Anchor Tag! nocookie.php

53 ?> Click This Anchor Tag! Our Session ID is: nocookie.php

54 A whole host of problems... Session id is not automatically added in JavaScript, Ajax, Redirect, or other elements of HTML With the session id on the URL, folks can email URLs or even bookmark them and be logged in We will come back to these...

55 Summary Cookies Sessions Sessions in PHP Login / Logout POST / Redirect Pattern Cookie-free sessions

56 Acknowledgements / Contributions These slides are Copyright 2010- Charles R. Severance (www.dr-chuck.com) as part of www.php-intro.com and made available under a Creative Commons Attribution 4.0 License. Please maintain this last slide in all copies of the document to comply with the attribution requirements of the license. If you make a change, feel free to add your name and organization to the list of contributors on this page as you republish the materials. Initial Development: Charles Severance, University of Michigan School of Information Insert new Contributors and Translators here including names and dates Continue new Contributors and Translators here

Download ppt "Cookies, Sessions, and Authentication Dr. Charles Severance www.php-intro.com."

Similar presentations

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Getting PHP Hosting Dr. Charles Severance. What We Need We want to be able to put up our application on the web so anyone can access our URL (and so we.

Getting PHP Hosting Dr. Charles Severance. What We Need We want to be able to put up our application on the web so anyone can access our URL (and so we.
CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie(name, value, expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.

CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie("name", "value", expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Forms and PHP Dr. Charles Severance www.php-intro.com.

Forms and PHP Dr. Charles Severance
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
CSE 154 LECTURE 12: COOKIES. Including files: include include(filename); PHP include(header.html); include(shared-code.php); PHP inserts the entire.

CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.

School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
1 Maryland ColdFusion User Group Session Management 101 11 December 2001 Michael Schuler

1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler
Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.

Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.

Similar presentations

Ads by Google