4/8/2014

ITessentials-auceg - Sessions & Cookies

Sessions & Cookies (./ITessentials-auceg - Sessions &

Cookies_files/ITessentials-auceg - Sessions & Cookies.htm)

%26+Cookies?goto=http%3A%2F%2Fitessentials-auceg.wikispaces.com%2FSessions%2B%2526%2BCookies)

s+%26+Cookies)

1 (http://itessentials-auceg.wikispaces.com/page/history/Sessions+%26+Cookies)

+Cookies)

Hey Guys!
So, in your IT Essentials projects, you will inevitably have to use something like Sessions and
cookies. Lets take a look at why.
A fundamental characteristic of the Web is the stateless interaction between browsers and web
servers. HTTP is a stateless protocol. Each HTTP request a browser sends to a web server is
independent of any other request. The stateless nature of HTTP allows users to browse the Web by
following hypertext links and visiting pages in any order. HTTP also allows applications to distribute
or even replicate content across multiple servers to balance the load generated by a high number of
requests. These features are possible because of the stateless nature of HTTP.
This stateless nature suits applications that allow users to browse or search collections of documents.
However, applications that require complex user interaction can't be implemented as a series of
unrelated, stateless web pages. An often-cited example is a shopping cart in which items are added
to the cart while searching or browsing a catalog. The state of the shopping cart--the selected items-needs to be stored somewhere. When the user requests the order page, the items for that user need
to be displayed.
Stateful web database applications can be built using sessions and cookies, and cookies are the
topic of this chapter.

Cookies
Cookies are often used to store application state in a web browser. As with data sent with the GET
or POST methods, cookies are sent with HTTP requests made by a browser. A cookie is a named
piece of information that is stored in a web browser. A browser can create a cookie using
JavaScript, but a cookie is usually sent from the web server to the client in the Set-Cookie header
field as part of an HTTP response. Consider an example HTTP response:

file:///F:/MIT/4th%20sem/IT%20Essentials/php%20sessions%20and%20cookies/php%20sessions%20and%20cookies/ITessentials-auceg%20-%20Sessio

1/4

4/8/2014

ITessentials-auceg - Sessions & Cookies

<span style="font-family: 'Times New Roman',Times,serif; font-size:

120%;">HTTP/1.0 200
Content-Length: 1276
Content-Type: text/html
Date: Tue, 06 Nov 2001 04:12:49 GMT
Expires: Tue, 06 Nov 2001 04:12:59 GMT
Server: simwebs/3.1.6
Set-Cookie: animal=egg-laying-mammal
<html>...</html></span>

The web browser that receives this response remembers the cookie and includes it as the header
field Cookie in subsequent HTTP requests to the same web server. For example, if a browser
receives the response just shown, a subsequent request has the following format:
<span style="font-family: 'Times New Roman',Times,serif; font-size:
120%;">GET /duck/bill.php HTTP/1.0
Connection: Keep-Alive
Cookie: animal=egg-laying-mammal
Host: www.webdatabasebook.com
Referer: http://www.webdatabasebook.com/</span>

There are several additional parameters used with the Set-Cookie header that define when a cookie
can be included in a request:
A cookie can have a date and time at which it expires. The browser includes the cookie
in requests up until that date and time. If no expiry date is given, the cookie is
remembered only while the browser is running. Cookies that are kept only while the
browser is running are known as session cookies.
A domain limits the sites to which a browser can send the cookie. If no domain is set,
the browser includes the cookie only in requests sent to the server that set the cookie.
Browsers don't include the cookie in requests for resources that aren't in the specified
path. This is useful if only part of a web site requires that a cookie be sent.
A cookie can also be marked as secure, instructing the browser to send the cookie
only when using a secure connection through the Secure Sockets Layer protocol. This
prevents sensitive data stored in a cookie from being transmitted in an insecure form.
Cookies can be included in an HTTP response using the header( ) function; however, the developer
needs to know how to encode the cookie name, value, and the other parameters described earlier in

file:///F:/MIT/4th%20sem/IT%20Essentials/php%20sessions%20and%20cookies/php%20sessions%20and%20cookies/ITessentials-auceg%20-%20Sessio

2/4

4/8/2014

ITessentials-auceg - Sessions & Cookies

the Set-Cookie header field. To simplify cookie creation, PHP provides the <emion">setcookie( )
function that generates a correct header field.
Example: Setting a cookie using PHP
<span style="font-family: 'Times New Roman',Times,serif; font-size:
120%;"><?php
// See if the HTTP request has set $count as the
// result of a Cookie called "count"
if(!isset($count)) {
// No cookie called count, set the counter to zero
$count = 0;
// .. and set a cookie with the "start" time
// of this stateful interaction
$start = time( );
setcookie("start", $start, time( )+600, "/", "", 0);
} else {
$count++;
}
// Set a cookie "count" with the current value
setcookie("count", $count, time( )+600, "/", "", 0);
?>
<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd" >
<html>
<head><title>Cookies</title></head>
<body>
<p>This page comes with cookies: Enjoy!
<br>count = <?=$count ?>.
<br>start = <?=$start ?>.
<p>This session has lasted
<?php
$duration = time( ) - $start;
echo "$duration";
?>
seconds.
</body>
</html></span>

The setcookie( ) function is called with six arguments, although only the first--the name--is required:

file:///F:/MIT/4th%20sem/IT%20Essentials/php%20sessions%20and%20cookies/php%20sessions%20and%20cookies/ITessentials-auceg%20-%20Sessio

3/4

4/8/2014

ITessentials-auceg - Sessions & Cookies

<span style="font-family: 'Times New Roman',Times,serif; font-size:

120%;">int setcookie(string name, [string value], [int expire], [string
path], string domain, [int secure])</span>

The two calls to <emion">setcookie( ) in the above example, add the Set-Cookie header field to the
HTTP response. The first encodes the start cookie with the value of the current time as an integer
returned from thetime( ) function. The second encodes the count cookie with the value of the
variable $count. Both cookies are set with the expiry date of the current time plus 600 seconds; that
is, 10 minutes. With the pathparameter set to /, the browser includes the cookies with all requests to
the site. By passing an empty string for the domain, the browser includes the cookies only with
requests to the domain of the machine serving this page. The final parameter 0 allows the browser to
transmit the cookies over both secure and insecure connections.
Cookies can be used for simple applications that don't require complex data to be kept between
requests. However, there is a limit on the number and size of cookies that can be set: a browser can
keep only the last 20 cookies sent from a particular domain, and the values that a cookie can hold
are limited to 4 KB in size. Also, there are arguments about both the privacy and the security of
applications that use cookies, and users often disable cookie support in their browsers

Help About Blog Pricing Privacy Terms Support Upgrade

Portions not contributed by visitors are Copyright 2014 Tangient LLC

file:///F:/MIT/4th%20sem/IT%20Essentials/php%20sessions%20and%20cookies/php%20sessions%20and%20cookies/ITessentials-auceg%20-%20Sessio

4/4