13.1. CookiesYou can track certain user details like the number of visits, names, or the date of the last visit using cookies, which are small bits of text stored on the client that have been available since Netscape 1.0. The client machine stores this information and sends it to the web server whenever there is a request. Cookies data is sent along with the HTTP headers. After the first visit to a web site, the browser returns a copy of the cookie to the server each time it connects. For security reasons, cookies can be read only from the domain that created them. Additionally, cookies have an expiration date after which they're deleted. The maximum size of data that a cookie can hold is 4 KB. Cookies are different from sessions, because cookies are stored on the client's disk, whereas a session stores the bulk of its data on the server. Sessions are basically like tokens, which are generated at authentication. This means that a session is available as long as the browser is opened. Sessions actually use a single cookie by default to track their token or session identifier. Figure 13-1 illustrates where cookies are stored when a web browser requests pages; in this example, http://example.com/set.php followed by http://example.com/read.php. The actual key storage resides on the client's browser after the first page is requested. When the client requests the second page, it also sends the cookie data to the server. Figure 13-1. Client browser and server interaction with cookiesSessions are popularly used, as there's a chance of your cookies getting blocked if the user's browser security setting is high. Sessions provide a fall back of passing the session identifier from page to page if cookies are disabled.
Mostly the server uses the cookie to remember the user and maintain the illusion of a session that spans multiple pages. Everything you could possibly want to know about cookies can be found at http://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q10. 13.1.1. Setting a CookiePHP provides an easy way to set a cookie: the function setcookie.
The function takes a name for the cookie as a parameter. You can optionally specify other details; for example: setcookie ( name , value , expire , path, domain , secure ) Table 13-1 lists the parameter values and their meanings for setcookie.
Example 13-1 shows how to create a cookie with the name username and the value michele. Example 13-1. Creating a cookie
The cookie was set, but you won't be able to read it until the client reloads the page or browses to another page. 13.1.2. Accessing a CookieCookies can be accessed one of two ways. They're accessible from the $_COOKIE environmental variable with the syntax $_COOKIE['cookiename'], as demonstrated in Example 13-2. Example 13-2. Viewing the username cookie
This code displays with the stored username: The stored username is michele. You can also see all cookies by accessing the super global variable $_SERVER[HTTP_COOKIE]. 13.1.3. Destroying a CookieCookies can be destroyed or deleted by the client or the server. Clients can easily delete their cookies by locating the Cookies folder on their system and deleting them. The server can delete the cookies by:
In both instances, you'd use the setcookie command. To destroy a cookie by specifying the expiration time, simply call setcookie with a past expiration date, as is done in Example 13-3. Example 13-3. Destroying a cookie by expiring it in the recent past
Example 13-3 returns: Rosebud. Now if you called the code in Example 13-2 again, you'd get: Oops, the cookie isn't set! Sometimes you may want to restrict pages from being viewed by everyone. Do this by using PHP to get authentication from the HTTP server. |