15.1 Managing Sessions with Cookies
| One way to identify users and to store data is to use cookies. For a long time cookies were the only solution for storing session data permanently, and they are still widely used today. 15.1.1 Cookie FundamentalsHTTP is not a connection-oriented protocol, so cookies can be used to fake some sort of permanent interaction with the server. The idea of a cookie is to store information directly on the client. Whenever a site is called, the information in the appropriate cookie is sent to the server automatically. Keep in mind that the server does not look for the cookie the information is sent to the server by the browser automatically. Let's look at a simple example: <?php setcookie ("YourName", "Hans-Jürgen Schönig"); header("Content-type: text/html"); echo "Your name has been added to the cookie<br>\n"; ?> <a href="checkcookie.php">Go to next page</a> The scriptsets a cookie that is called YourName. The value of the cookie is Hans-Jürgen Schönig, which is the name of the author of this book. Note that the cookie has been set before sending the header to the client. After that, a string and a link are displayed. If you click on the link, you will get to the script called checkcookie.php, which is shown in the next listing: <?php echo "Displaying information stored in cookie:<br>\n"; if ($YourName) { echo "Data stored in the cookie: $YourName<br>\n"; } else { echo "no data has been stored in the cookie<br>\n"; } ?> The script checks whether $YourName exists. If the variable exists, its content is displayed onscreen. Otherwise the script will display an error. As you saw in the preceding listing, the name of the cookie is YourName as well. Note that there is no submit button, but the data in the cookie is still available in the second screen. If you click on the link, two lines will be displayed: Displaying information stored in cookie: Data stored in the cookie: Hans-Jürgen Schönig The second line contains the data stored in the cookie. The following list shows the components a cookie can have:
In the preceding example, you saw how a cookie can be generated that lasts forever. In some cases this is not useful; if you want to use the cookie only for storing the content of a shopping cart, you don't want the data to stay in the cookie forever. You can define the time a cookie is valid. In the next example you can see how to do this: <?php $t = time()+3600*24; setcookie("yourname","Shelley",$t,"/","postgresql.at"); header("Content-type: text/html"); echo "Your name has been added to the cookie<br>\n"; ?> <a href="checkcookie.php">Go to next page</a> This time the current time is computed by calling PHP's time function. Then 24 hours are added to this timestamp and this value is taken to tell the cookie when to expire. In addition, we tell the cookie that it is valid for the entire domain called postgresql.at. The machine the example has been tested on does not belong to the domain postgresql.at, so no data will be available in the script when you click on the link: Displaying information stored in cookie: no data has been stored in the cookie In the preceding example you saw how to generate a cookie and how then to access the value of a cookie. In the next example, you will learn how to delete a cookie: <?php if ($yourname) { $t = time()-1000; setcookie("yourname","",$t); header("Content-type: text/html"); echo "deleting cookie ...<br>\n"; echo "value of cookie was: $yourname<br>\n"; } else { $t = time()+3600*24; setcookie("yourname","Shelley",$t); header("Content-type: text/html"); echo "setting cookie ...<br>\n"; } echo '<a href="main.php">Reload page</a>'; ?> The preceding script does nothing except generate a cookie if no cookie has been set, and delete the cookie if a cookie has been set already. As you can see in the if branch, a cookie can be deleted by setting the third parameter to a previous date. This way a cookie is marked as expired and will be deleted automatically. If you execute the script twice, the result will look like this: deleting cookie ... value of cookie was: Shelley Reload page 15.1.2 DangersCookies are easy to use, but when you use them extensively, there are also some problems you have to take care of. One thing is that many users have disabled cookies for security reasons. Another point is that problems can easily occur in combination with secure and insecure HTTP connections. In the next example you can see which problems can occur when you are working with secure and insecure connections. Imagine a script called setcookie.php located at http://www.cybertec.at/test/setcookie.php. http means that the data is not transmitted via a secure channel. Let's look at the script: <?php $t = time()+3600*24; setcookie("yourname","Shelley",$t); echo "cookie has been set in insecure area<br>\n"; echo '<a href="https://bachata.cybertec.at/test/secure.php"> secure.php</a>'; ?> A cookie is set and a link to https://bachata.cybertec.at/test/secure.php is displayed. As you can see, this URL points to a secure HTTP area. However, both sites, www.cybertec.at and https://bachata.cybertec.at, are located on the same machine and they are in the same domain. Here's the script located in the secure area: <?php echo "secure area ...<br>\n"; if ($yourname) { echo "the cookie is still valid<br>\n"; } else { echo "no cookie available<br>\n"; } ?> The script checks whether a cookie has been set. However, no data can be found: no cookie available The reason is that one script is located in the secure area, and the second script is in the insecure area. This can present a problem when working with online shops, because you might easily have to face a mixture of secure and insecure areas. This can be painful when writing applications, and therefore we don't recommend using cookies extensively. |
EAN: N/A
Pages: 201