Session Management & Cookies In Php


Published on

  • want to download..pls provide link
    Are you sure you want to  Yes  No
    Your message goes here
  • kindly help me to download this ppt
    Are you sure you want to  Yes  No
    Your message goes here
  • please help me to download this presentation
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Session Management & Cookies In Php

  1. 1. PHP – Session Management & Cookies in PHP Harit Kothari [email_address]
  2. 2. Agenda <ul><li>Session Management </li></ul><ul><li>Application of Session Management </li></ul><ul><li>Session management with PHP - $HTTP_SESSION_VARS </li></ul><ul><li>Cookies basics </li></ul><ul><li>Application of Cookies </li></ul><ul><li>Setcookie() & $_COOKIE </li></ul>
  3. 3. Session Management <ul><li>HTTP is a stateless protocol </li></ul><ul><li>Does not remember what happened between two consecutive requests </li></ul><ul><li>Example – Online bookshop </li></ul><ul><li>Browser sends a login request to the server, sending the user ID and password </li></ul><ul><li>Server authenticates user and responds back with a successful login message along with the menu of options available to the user </li></ul><ul><li>User clicks on one of the options (say Buy book) </li></ul><ul><li>Browser sends user’s request to the server </li></ul>
  4. 4. <ul><li>Ideally, we would expect the server to remember who this user is </li></ul><ul><li>But this does not happen! </li></ul><ul><li>Server does not know who this user is </li></ul><ul><li>Browser has to remind server every time! </li></ul><ul><li>Hence, HTTP is stateless and so is server </li></ul>
  5. 6. Techniques for Session Management <ul><li>Cookies </li></ul><ul><ul><li>Small text files that contain the session_id </li></ul></ul><ul><ul><li>Container creates a cookie and sends it to the client </li></ul></ul><ul><ul><li>Client creates a temporary file to hold it till the session lasts </li></ul></ul><ul><li>Alternatives </li></ul><ul><ul><li>URL rewriting </li></ul></ul><ul><ul><li>Hidden form variables </li></ul></ul>
  6. 7. Managing Session - 1 <ul><li>Cookie </li></ul><ul><ul><li>Request setcookie(sid,test123); </li></ul></ul><ul><ul><li>Response Cookie: sid=test123 </li></ul></ul><ul><li>Hidden Form Field </li></ul><ul><ul><li>Request <input type=hidden name=sid value=test123> </li></ul></ul><ul><ul><li>Response sid=test123 </li></ul></ul>
  7. 8. Managing Session - 2 <ul><li>URL Rewriting </li></ul><ul><ul><li>Request <a href=next.jsp;sid=test123>Next page</a> </li></ul></ul><ul><ul><li>Response sid=test123 </li></ul></ul>
  8. 9. Cookies
  9. 10. Cookie Exchange: Technical Level – 1 <ul><li>Step 1: Cookie is one of the header fields of the HTTP response </li></ul>HTTP/1.1 200 OK Set-Cookie: JSESSIONID = 0AAB6C8DE415 Content-type: text/html Date: Tue, 9 Mar 2008 11:25:40 GMT … <html> … </html>
  10. 11. Cookie Exchange: Technical Level – 2 <ul><li>Step 2: Client sends the cookie with the next request </li></ul>POST SelectDetails HTTP/1.1 Host: Cookie: JSESSIONID = 0AAB6C8DE415 Accept: text/xml, … Accept-Language: en-us, … … …
  11. 12. Comparisons <ul><li>Cookies </li></ul><ul><ul><li>Will not work in the case of cookies are unsupported / blocked by browser </li></ul></ul><ul><ul><li>Cookies must be set to expire, otherwise security issues may arise </li></ul></ul><ul><li>Hidden Form Fields </li></ul><ul><ul><li>Useless in the case of simple forms / HTML </li></ul></ul><ul><li>URL rewriting </li></ul><ul><ul><li>Mostly used, and best way / alternative </li></ul></ul><ul><ul><li>Best option to avoid security issues </li></ul></ul>
  12. 13. Play with Session Management in PHP <ul><li>Starting a session <?php session_start() ?> </li></ul><ul><li>When the above code executes, the server creates a new session ID (if none exists for this client) </li></ul><ul><li>The server puts the session ID inside a cookie </li></ul><ul><li>The server sends the cookie to the client </li></ul>
  13. 14. Adding a variable to session <ul><li><?php session_start(); session_register('hits'); ++$hits; ?> This page has been viewed <?= $hits ?> times. </li></ul><ul><li>session_start() signals to initiate a new session </li></ul><ul><li>session_register() adds (registers) a variable into $HTTP_SESSION_VARS array that is unique for each client, exists on server </li></ul><ul><ul><li>If register_globals is enabled in the php.ini file, the variables are also set directly </li></ul></ul>
  14. 15. URL Rewriting <ul><li>By default, the session ID is passed from page to page in the PHPSESSID cookie </li></ul><ul><li>But what if cookies are disabled? Don't worry, we have the solution: </li></ul>
  15. 16. Session Management methods - 1 (to avoid session mis-management!) <ul><li>Boolean session_start() - always returns true Initializes a session by either creating a new session or using an identified one. Checks for the variable $PHPSESSID in the HTTP request. If a session identifier isn't included in the request, or an identified session isn't found, a new session is created. If a session ID is included in the request, and a session isn't found, a new session is created with the PHPSESSID encoded in the request. </li></ul>
  16. 17. Session Management methods - 2 to avoid session mis-management!) <ul><li>string session_id([string id]) Can be used in two ways: to return the ID of an initialized session and to set the value of a session ID before a session is created. When used to return the session ID, the function must be called without arguments after a session has been initialized. When used to set the value of the session ID, the function must be called with the ID as the parameter before the session has been initialized. </li></ul>
  17. 18. Session Management methods - 3 (to avoid session mis-management!) <ul><li>Boolean session_register(mixed name [, mixed ...]) Registers one or more variables in the session store. Each argument is the name of a variable, or an array of variable names, not the variable itself. Once a variable is registered, it becomes available to any script that identifies that session. This function calls the session_start( ) code internally if a session has not been initialized. </li></ul>
  18. 19. Session Management methods - 4 (to avoid session mis-management!) <ul><li>Boolean session_is_registered(string variable_name) Returns true if the named variable has been registered with the current session and false otherwise. Using this function to test if a variable is registered is a useful way to determine if a script has created a new session or initialized an existing one. </li></ul>
  19. 20. Session Management methods - 5 (to avoid session mis-management!) <ul><li>void session_unregister(string variable_name) Unregisters a variable with the initialized session. Like the session_register() function, the argument is the name of the variable, not the variable itself. Unlike the session_register() function, the session needs to be initialized before calling this function. Once a variable has been removed from a session with this call, it is no longer available to other scripts that initialize the session. However, the variable is still available to the rest of the script that calls session_unregister(). </li></ul>
  20. 21. Session Management methods - 6 (to avoid session mis-management!) <ul><li>Boolean session_destroy() Removes the session from the PHP session management. Returns true if the session is successfully destroyed and false otherwise. </li></ul><ul><li>void session_unset() Unsets the values of all session variables. This function doesn't unregister the actual session variables. A call to session_is_registered( ) still returns true for the session variables that have been unset. </li></ul>
  21. 22. Cookies <ul><li>Add / set cookie </li></ul><ul><ul><li>setcookie(name [, value [, expire [, path [, domain [, secure ]]]]]); </li></ul></ul><ul><ul><li>Example : setcookie('accesses', '0'); </li></ul></ul><ul><li>Read cookie </li></ul><ul><ul><li>Manipulate $_COOKIE[] array </li></ul></ul><ul><ul><li>Example : $pg_accesses = $_COOKIE['accesses']; </li></ul></ul>
  22. 23. Understanding setcookie() <ul><li>setcookie(name [, value [, expire [, path [, domain [, secure ]]]]]); </li></ul><ul><li>name </li></ul><ul><ul><li>Unique name to represent a cookie, like a variable </li></ul></ul><ul><li>value </li></ul><ul><ul><li>Value associated with cookie name, like variable value. Should not be too long. Appx. Max size for a cookie should be appx. 3.5KB </li></ul></ul>
  23. 24. <ul><li>expire </li></ul><ul><ul><li>Expiration date. If not provided, stored on browser. As soon as browser is closed, cookie expires. </li></ul></ul><ul><ul><li>Cookie expiration must be specified in no. of seconds since midnight January 1, 1970, GMT. </li></ul></ul><ul><ul><li>Example – a cookie that will expire in 2 hoours setcookie(myCookie, '0', time()+60*60*2); </li></ul></ul>
  24. 25. <ul><li>path </li></ul><ul><ul><li>Browser will return cookie only for URLs below this path. </li></ul></ul><ul><ul><li>Default is the directory in which the current page resides. </li></ul></ul><ul><ul><li>Example : a page located at /test/module1/test1.php sets a cookie, and doesn't specify path, cookie will sent back to server for all pages having URL path with /test/module1/ </li></ul></ul>
  25. 26. <ul><li>domain </li></ul><ul><ul><li>Return cookie only for the URLs within the same domain </li></ul></ul><ul><ul><li>Default is server's hostname </li></ul></ul><ul><li>secure </li></ul><ul><ul><li>Transmit cookie only on HTTPS connection </li></ul></ul><ul><ul><li>If secure parameter is false, browser will allow to send cookie over HTTP also </li></ul></ul>
  26. 27. Cookie types <ul><li>Persistent </li></ul><ul><ul><li>Having 'lifetime' longer than browser session </li></ul></ul><ul><ul><li>Used only when required </li></ul></ul><ul><li>Transient </li></ul><ul><ul><li>Having 'lifetime' limited to browser session, or even shorter </li></ul></ul><ul><ul><li>Used for secure session management </li></ul></ul>
  27. 28. Applications with cookies <ul><li>Passing some string value throughout session, or multiple pages </li></ul><ul><li>Like, form fill up and showing summary of form </li></ul><ul><li>As we saw, for session management, but is less effective </li></ul><ul><li>Displaying visitor count, per visitor </li></ul>