Cookies & Session Web Technology

Introduction HTTP is stateless and cannot keep information over a series of accesses. We need to let the server know that this browser is the one that works on the previous page This user is still looking for more products after some he just selected. We need some mechanism to provide memory for a web server Cookies: Browser stores information on client’s side Session: Server carries over the information for the browser.

What Are Cookies? Cookies were developed to maintain state between subsequent visits to a webpage, or between visits to different pages within a website. Cookies enable web servers to store and retrieve data on the clients hard drive. Webapp can track a clients path through a website. E-commerce may store items selected by a customer. A membership site might remember an ID for every use Cookies can be used to store data on client.

Cookies Restrictions Scope of Cookies Expiry information (e.g. 01/01/2004, 03:00:00) Path information (e.g. /cgi-bin/php) Domain information (e.g. webserver.com) A secure parameter (cookies are sent only over secure channel (i.e. HTTPS) Parameter Name Default Value path “/” (all directories on the server) Domain The domain of server that set the cookies Expire information Until the browser is closed. Secure Disabled

Our First Cookie <? $_COOKIE['count']++; setcookie("count", $_COOKIE['count'] ); $count = $_COOKIE['count']; echo "You have been here $count ".($count>1?"times":"time"); ?> <? echo “ABC”; $_COOKIE['count']++; setcookie("count", $_COOKIE['count'] ); $count = $_COOKIE['count']; echo "You have been here $count ".($count>1?"times":"time"); ?> ABC Warning: Cannot modify header information - headers already sent by (output started at C:\AppServ\www\webtech\cookie\index.php:2) in C:\xxx\index.php on line 4

setcookie() Function cookiename: value to be used for accessing cookie value: value to be stored in cookiename lifetime: time when cookie will expire (unit in seconds since the start of cookie) path: subset of paths for which cookie is valid domain: which servers cookie will be sent secure: prevent cookies being sent over an insecure connection (standard HTTP) int setcookie(string cookiename, string [value], int [lifetime], string [path], string [domain], int [secure];

Setting Cookies Setting cookie expiration Setting cookie path Setting cookie domain $expt = time()+60; setcookie("count", $count, $expt); //Cookie’s life is 60 seconds (1 minute) setcookie("count", $count, 0, “./webtech”); // Allowing to use cookies // under director “webtech” setcookie("count", $count, 0, “./”, “.ced.kmutnb.ac.th”); // Allowing to access any directories on any server that ends with “ced.kmutnb.ac.th”

Delete Cookies Set nothing to cookie name will delete it If we want to delete the previous one and create it again, the order is confusing like this <? setcookie("username"); ?> <? //set the new one setcookie("username", "Joe"); //delete the old one setcookie("username"); ?>

Check for Cookie Support <? if(empty($_GET['check'])) { //1. Set cookie and redirect to itself $page = $PHP_SELF."?check=1"; setcookie("testcookie", "1"); // set cookie header("Location: $page"); //redirect to itself with check variable } else { //2. Check if the test cookie is set if(empty($_COOKIE['testcookie'])) { echo "Your browser does not support cookie. Please enable cookies."; }else { echo "Your browser supports cookies, OK."; setcookie("testcookie"); // Delete test cookie, then redirect //header("Location: mainpage.php"); //Redirect to the page we wish } ?>

Cookies & Session Web Technology

Session Sessions use a cookie called PHPSESSID When a session starts, PHP checks for this cookie and sets it if it doesn't exist PHPSESSID cookie is a random alphanumeric string. Each web client gets a different session ID, session ID in the PHPSESSID cookie identifies that web client uniquely to the server. We can create session variables to store information and carry it over until the session ends or browser is closed.

Store and Retrieve Information Session data is stored in the $_SESSION array We use session_start() to initiate a session To end a session, we use session_destroy() or close browser). <? session_start( ); // start a session $_SESSION['count'] = $_SESSION['count'] + 1; print "You've looked at this page " . $_SESSION['count'] . ' times.'; ?> <? session_destroy( ); // End the session ?>

Login Page

Using Session Variable for Login Page <? session_start(); if(isset($_SESSION['tct'])) session_destroy(); if($_POST['submit']=="Login") { if($_POST['txtUser']=="tct" && $_POST['txtPass']=="tct") $_SESSION['tct'] = "OK"; header('Location: menu.php'); } $_SESSION['tct'] = "FAILED"; ?> <html><head><title>Login Page</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <form action="<? echo $_SERVER["PHP_SELF"]; ?>" method="post"> …………………See Next Slide………………..

Using Session Variable for Login Page (Cont.) <table width="20%" border="1" align="center"> <tr> <td width="14%"><strong>User</strong></td> <td width="86%"><input type="text" name="txtUser" value=""></td> </tr> <td><strong>Passwd</strong></td> <td><input type="password" name="txtPass" value=""></td> <td colspan="2" align="center"><input type="reset" value="Cancel"><input type="submit" name="submit" value="Login"></td> </table> </form> </body> </html>

Checking Successful Login All pages that are under login control must include this piece of code at the top of the page. (xxx.php); <? session_start(); if(!isset($_SESSION['tct'])) { header( 'Location: login.php' ) ; } ?> Note: This code is saved under chk_login.php.

Menu Page Under Login Control <? include('chk_login.php'); // ?> <html> <head> <title>Menu</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <a href="http://www.sun.com">Sun</a><BR> <a href="login.php">Logout</a> echo $_REQUEST['PHPSESSID']."<HR>"; </body> </html>