Cookies

Cookies & Session

Web Technology

Introduction

• HTTP is stateless and cannot keep information over a series of accesses.

• We need to let the server know that this browser is the one that works on the previous page – This user is still looking for more products after some he just

selected.

• We need some mechanism to provide memory for a web server– Cookies: Browser stores information on client’s side– Session: Server carries over the information for the browser.

What Are Cookies?

• Cookies were developed to maintain state between subsequent visits to a webpage, or between visits to different pages within a website.

• Cookies enable web servers to store and retrieve data on the clients hard drive.

• Webapp can track a clients path through a website.– E-commerce may store items selected by a customer.– A membership site might remember an ID for every use

Cookies can be used to store data on client.

Cookies Restrictions

• Scope of Cookies– Expiry information (e.g. 01/01/2004, 03:00:00)– Path information (e.g. /cgi-bin/php)– Domain information (e.g. webserver.com)– A secure parameter (cookies are sent only over secure channel

(i.e. HTTPS)

Parameter Name Default Value

path “/” (all directories on the server)

Domain The domain of server that set the cookies

Expire information Until the browser is closed.

Secure Disabled

Our First Cookie

<?$_COOKIE['count']++;setcookie("count", $_COOKIE['count'] );$count = $_COOKIE['count'];echo "You have been here $count ".($count>1?"times":"time");

?>

<?echo “ABC”;$_COOKIE['count']++;setcookie("count", $_COOKIE['count'] );$count = $_COOKIE['count'];echo "You have been here $count ".($count>1?"times":"time");

?>

ABCWarning: Cannot modify header information - headers already sent by (output started at C:\AppServ\www\webtech\cookie\index.php:2) in C:\xxx\index.php on line 4

setcookie() Function

• cookiename: value to be used for accessing cookie• value: value to be stored in cookiename• lifetime: time when cookie will expire (unit in seconds since

the start of cookie)• path: subset of paths for which cookie is valid• domain: which servers cookie will be sent• secure: prevent cookies being sent over an insecure

connection (standard HTTP)

int setcookie(string cookiename, string [value], int [lifetime], string [path], string [domain], int [secure];

Setting Cookies

• Setting cookie expiration

• Setting cookie path

• Setting cookie domain

$expt = time()+60;setcookie("count", $count, $expt); //Cookie’s life is 60 seconds (1 minute)

setcookie("count", $count, 0, “./webtech”); // Allowing to use cookies // under director “webtech”

setcookie("count", $count, 0, “./”, “.ced.kmutnb.ac.th”); // Allowing to access any directories on any server that ends with “ced.kmutnb.ac.th”

Delete Cookies

• Set nothing to cookie name will delete it

• If we want to delete the previous one and create it again, the order is confusing like this

<?//set the new onesetcookie("username", "Joe");//delete the old onesetcookie("username");

?>

<?setcookie("username");

?>

Check for Cookie Support

<?if(empty($_GET['check'])) { //1. Set cookie and redirect to itself $page = $PHP_SELF."?check=1"; setcookie("testcookie", "1"); // set cookie header("Location: $page"); //redirect to itself with check variable} else { //2. Check if the test cookie is set if(empty($_COOKIE['testcookie'])) { echo "Your browser does not support cookie. Please enable cookies."; }else { echo "Your browser supports cookies, OK."; setcookie("testcookie"); // Delete test cookie, then redirect //header("Location: mainpage.php"); //Redirect to the page we wish }}?>

Session

Cookies & Session

Web Technology

Session

• Sessions use a cookie called PHPSESSID• When a session starts, PHP checks for this cookie and

sets it if it doesn't exist• PHPSESSID cookie is a random alphanumeric string. • Each web client gets a different session ID,

– session ID in the PHPSESSID cookie identifies that web client uniquely to the server.

• We can create session variables to store information and carry it over until the session ends or browser is closed.

Store and Retrieve Information

• Session data is stored in the $_SESSION array• We use session_start() to initiate a session

• To end a session, we use session_destroy() or close browser).

<? session_start( ); // start a session $_SESSION['count'] = $_SESSION['count'] + 1; print "You've looked at this page " . $_SESSION['count'] . ' times.'; ?>

<? session_destroy( ); // End the session ?>

Login Page

Using Session Variable for Login Page

<?session_start();if(isset($_SESSION['tct'])) session_destroy();if($_POST['submit']=="Login"){

if($_POST['txtUser']=="tct" && $_POST['txtPass']=="tct"){

$_SESSION['tct'] = "OK";header('Location: menu.php');

}$_SESSION['tct'] = "FAILED";

}?><html><head><title>Login Page</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><form action="<? echo $_SERVER["PHP_SELF"]; ?>" method="post">…………………See Next Slide………………..

Using Session Variable for Login Page (Cont.)

<table width="20%" border="1" align="center"> <tr> <td width="14%"><strong>User</strong></td> <td width="86%"><input type="text" name="txtUser" value=""></td> </tr> <tr> <td><strong>Passwd</strong></td> <td><input type="password" name="txtPass" value=""></td> </tr> <tr> <td colspan="2" align="center"><input type="reset" value="Cancel"><input type="submit" name="submit" value="Login"></td> </tr></table></form></body></html>

Checking Successful Login

• All pages that are under login control must include this piece of code at the top of the page. (xxx.php);

<?session_start();if(!isset($_SESSION['tct'])){

header( 'Location: login.php' ) ;}

?>

Note: This code is saved under chk_login.php.

Menu Page Under Login Control

<?include('chk_login.php'); //

?><html><head><title>Menu</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>

<a href="http://www.sun.com">Sun</a><BR><a href="login.php">Logout</a>

<?echo $_REQUEST['PHPSESSID']."<HR>";

?></body></html>