Maintaining State

HTTP is a stateless protocol:

Once a web server completes a client's request for a web page, the
connection between the two goes away.
There is no way for a server to recognize that a sequence of requests
all originate from the same client.




Cookies
A cookie is a bit of information that the server can give to a client. On
every subsequent request the client will give that information back to the
server, thus identifying itself.
Each cookie on the users computer is connected to a particular domain.
Each cookie be used to store up to 4KB of data.
A maximum of 20 cookies can be stored on a users PC per domain.




Example
1. User sends a request for page at www.example.com for the first
time.
page request




Example
2. Server sends back the page html to the browser AND stores some
data in a cookie on the users PC.
cookie data
html




Example
3. At the next page request for domain www.example.com, all
cookie data associated with this domain is sent too.
page request
cookie data




Set a cookie
setcookie(name[,value[,expire[,path[,domain[,secure]]]]])
name = cookie name
value = data to store (string)
expire = UNIX timestamp when the cookie expires. Default cookie expires
when browser is closed.
path = Path on the server within and below which the cookie is available on.
domain = Domain to which the cookie is available for.
secure = If cookie should be sent over HTTPS connection only. Default false.




Example
setcookie('name','Robert')
Sets the cookie called name on the users PC containing the data
Robert.
It will be available to all pages in the same directory or subdirectory
of the page that set it (the default path and domain). of the page that set it (the default path and domain).
It will expire and be deleted when the browser is closed (default
expire).




Example
setcookie('age','20',time()+60*60*24*30)
Sets the cookie called age on the users PC containing the data 20.
It will be available to all pages in the same directory or subdirectory
of the page that set it (the default path and domain).
It will expire and be deleted after 30 days. It will expire and be deleted after 30 days.




Example
setcookie('gender','male',0,'/')
Sets the cookie called gender on the users PC containing the data
male.
It will be available within the entire domain that set it.
It will expire and be deleted when the browser is closed.




Read cookie data
All cookie data is available through the superglobal $_COOKIE:
$variable = $_COOKIE['cookie_name'];
or
$variable = $HTTP_COOKIE_VARS['cookie_name'];
Example:
$age = $_COOKIE['age'];




Storing an array
Only strings can be stored in Cookie files.
To store an array in a cookie, convert it to a string by using the
serialize() PHP function.
The array can be reconstructed using the unserialize() function once
it had been read back in.
Note that cookie size is limited.




Delete a cookie
To remove a cookie, simply overwrite the cookie with a new one
with an expiry time in the past.
setcookie('cookie_name','',time()-6000);




Note
As the setcookie command involves sending a HTTP header
response, it must be executed before any html is echoed to the
browser, including whitespace.
echoed
correct!
incorrect.
echoed
whitespace
before
setcookie




Cookie Limitations
The important thing to note is that some people browse with them
turned off.
e.g. in Fire Fox, Tools Options Privacy
Cookies are stored client-side, so never trust them completely:
They can be easily viewed, modified or created by a 3
rd
party. They can be easily viewed, modified or created by a 3
rd
party.




What is session?
A Session refers to all the request that a single client makes to a
server for some period of time.
A session is specific to the user and for each user a new session is
created to track all the request from that user.




How do Sessions work?
They are based on assigning each user a unique number called
session id.
e.g. 26fe536a534d3c7cde4297abb45e275a
This session id is stored in a cookie, or passed in the URL between
pages while the user browses. pages while the user browses.
The data to be stored (e.g. name, log-in state, etc.) is stored
securely server-side in a PHP superglobal, and referenced using the
session id.




Starting a Session
session_start();
PHP does all the work: It looks for a valid session id in the $_COOKIE or
$_GET superglobals if found it initializes the data. If none found, a new
session id is created.




Storing Session Data
The $_SESSION super-global array can be used to store any
session data.
$_SESSION['name'] = $name;
$_SESSION['age'] = $age;




Reading Session Data
Data is simply read back from the $_SESSION super-global array.
e.g.
$name = $_SESSION['name'];
$age = $_SESSION['age']; $age = $_SESSION['age'];




Session Propagation
Sessions need to pass the session id between pages as a user
browses to track the session.
It can do this in two ways:
Cookie propagation Cookie propagation
URL propagation




Cookie Propagation
A cookie is stored on the users PC containing the session id.
It is read in whenever session_start(); is called to initialize the
session.




URL Propagation
The session id is propagated in the URL
some_folder/index.php?sid=26fe536a534d3c7cde4297abb45e275a
PHP provides a global constant to append the session id to any
internal links, SID.
<a href="nextpage.php?<?=SID?>">Next page</a>




Which one..?
The default setup of a PHP server is to use both methods.
it checks whether the user has cookies enabled.
If cookies are on, PHP uses cookie propagation. If cookies are off
it uses URL propagation.




Destroying a Session
Often not required, but if we want to destroy a session:
// clear all session variables
$_SESSION = array();
// delete the session cookie if there is one // delete the session cookie if there is one
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(),'',time()-42000,'/');
}
// destroy session
session_destroy();




Cookies Sessions
Limited storage space Practically unlimited space
Insecure storage client-side Reasonably securely stored server-side
User controlled No user control