PHP COOKIES, SESSIONS,



Similar documents
Multimedia im Netz Online Multimedia Winter semester 2015/16. Tutorial 03 Major Subject

CSE 135 Server Side Web Languages Lecture # 7. State and Session Management

OVERVIEW OF ASP. What is ASP. Why ASP

Web Application Security Considerations

Check list for web developers

JAVASCRIPT AND COOKIES

Lecture 11 Web Application Security (part 1)

Introduction to Server-Side Programming. Charles Liu

Web application security

Building Dynamic Websites With the MVC Pattern. ACM UIUC, 2010

Advertisers: Recommendations regarding how to integrate Reactivpub tags in Joomla

Lecture 8a: WWW Proxy Servers and Cookies

An Insight into Cookie Security

Intro to Web Programming. using PHP, HTTP, CSS, and Javascript Layton Smith CSE 4000

Lecture 8a: WWW Proxy Servers and Cookies

ASP Tutorial. Application Handling Part I: 3/15/02

Outline Definition of Webserver HTTP Static is no fun Software SSL. Webserver. in a nutshell. Sebastian Hollizeck. June, the 4 th 2013

E-Commerce: Designing And Creating An Online Store

Chapter 1 Load Balancing 99

Repeater. BrowserStack Local. browserstack.com 1. BrowserStack Local makes a REST call using the user s access key to browserstack.

General principles and architecture of Adlib and Adlib API. Petra Otten Manager Customer Support

Topic 7: Back-End Form Processing and Database Publishing with PHP/MySQL

PHP Integration Kit. Version User Guide

Specify the location of an HTML control stored in the application repository. See Using the XPath search method, page 2.

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Advanced Tornado TWENTYONE Advanced Tornado Accessing MySQL from Python LAB

Fachgebiet Technische Informatik, Joachim Zumbrägel

Cache Configuration Reference

SSC - Web applications and development Introduction and Java Servlet (II)

The Internet, Intranets, and Extranets. What is the Internet. What is the Internet cont d.

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007

A Comparison of Software Architectures for E-Business Applications

Working With Virtual Hosts on Pramati Server

ISI ACADEMY Web applications Programming Diploma using PHP& MySQL

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

SiteCelerate white paper

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

CS 188/219. Scalable Internet Services Andrew Mutz October 8, 2015

Criteria for web application security check. Version

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

Cookies Overview and HTTP Proxies

Cloud Elements! Marketing Hub Provisioning and Usage Guide!

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Cyber Security Challenge Australia 2014

SQL Injection Attack Lab Using Collabtive

Example for Using the PrestaShop Web Service : CRUD

Fairsail REST API: Guide for Developers

Using Foundstone CookieDigger to Analyze Web Session Management

Toad for Data Analysts, Tips n Tricks

PHP Tutorial From beginner to master


1.5.5 Cookie Analysis

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

Web development... the server side (of the force)

CHAPTER 3 PROBLEM STATEMENT AND RESEARCH METHODOLOGY

Frequently Asked Questions Ag Banking Online

Webair CDN Secure URLs

A Java proxy for MS SQL Server Reporting Services

Session Management in Web Applications

Application Security Testing. Generic Test Strategy

Web Development using PHP (WD_PHP) Duration 1.5 months

Working with forms in PHP

Abusing Locality in Shared Web Hosting. Nick Nikiforakis

Advanced Web Security, Lab

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

Session Clustering in PHP

MyOra 3.0. User Guide. SQL Tool for Oracle. Jayam Systems, LLC

Follow Up Getting Started. How to install extension

Load testing with. WAPT Cloud. Quick Start Guide

CommonSpot Content Server Version 6.2 Release Notes

DATA COMMUNICATOIN NETWORKING

Top 10 Web Application Security Vulnerabilities - with focus on PHP

XML Processing and Web Services. Chapter 17

CS640: Introduction to Computer Networks. Applications FTP: The File Transfer Protocol

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Engagement Analytics Configuration Reference Guide

Webapps Vulnerability Report

Certified The Grinder Testing Professional VS-1165

Scalability of web applications. CSCI 470: Web Science Keith Vertanen

Paladin Computers Privacy Policy Last Updated on April 26, 2006

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Integrating LivePerson with Salesforce

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

MySQL Cluster Delivering Scalable & Highly Available Session Management

Breaking Web Applications in Shared Hosting Environments. Nick Nikiforakis Katholieke Universiteit Leuven

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Online Multimedia Winter semester 2015/16

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web Application Guidelines

Varnish Tips & Tricks, 2015 edition

THE CHALLENGE OF ADMINISTERING WEBSITES OR APPLICATIONS THAT REQUIRE 24/7 ACCESSIBILITY

CSCI110 Exercise 4: Database - MySQL

Web Security CS th November , Jonathan Francis Roscoe, Department of Computer Science, Aberystwyth University

Last update: February 23, 2004

Transcription:

PHP COOKIES, SESSIONS, AND SESSION VARIABLES Fall 2009 CSCI 2910 Server Side Web Programming Objectives Understand and use Cookies in PHP scripts. Understand and use Sessions and Session variables in PHP scripts. 1

HTTP HTTP is a stateless protocol Each page "stands alone" and has no memory of past actions. Addressed in Netscape 3.0 with cookies. Cookies allow us to write data to user's computer and read that data as user traverses site. Cookies can only be written as part of header information, therefore cannot create or add to a cookie after writing to browser. Using cookies To create a cookie, use setcookie() setcookie(cookiename, value, [expire]); setcookie("cook","27"); Expiration expressed using time. If not set, cookie is valid for this user session only. setcookie("other","1", time()+60*60*24*30); http://einstein.etsu.edu/~pittares/csci2910/examples/8 1.php Retrieved similar to $_POST variables: $_COOKIE['cookiename'] http://einstein.etsu.edu/~pittares/csci2910/examples/8 2.php 2

Deleting and checking cookies To delete: overwrite cookie with expiration time in the past. setcookie("cook","",time()-100); k" "" ti () http://einstein.etsu.edu/~pittares/csci2910/examples/8 3.php Actual cookie deletion done by user's browser. To see if the user accepts cookies, write one and then check (on another page or after a refresh) to see if it exists. Cookie tutorial: http://einstein.etsu.edu/~pittares/csci2910/examples/8 4.php Conclusion: Using Cookies If user accepts cookies, and if you remember to manage setting them prior to non header output, then they're fine. If you use Sessions: PHP manages complexity. If the user doesn't support cookies, PHP has an automated "workaround". More complex data storage (arrays, etc.) easier to implement. But, you lose multi visit persistence 3

What is session control? Gives ability to track a user through site, and easily move data related to that user among pages. No need to move data through hhidden form fields. Very useful for authentication, but can be used any time persistent data needed throughout a site visit. How sessions work Sessions are identified by a random number (Session ID) generated by PHP and stored on the client computer in 1 of 2 ways: Using a cookie, if the user's browser supports. Appending the session number to URLs as user traverses site www.whatever.com?phpsessid=495294532459x Session ID corresponds a session data store on server A session will eventually expire usually after a specified period of inactivity. 4

Progression of events PHP script starts a session. Done before any other page activity. session_start(); t() Session ID created and stored on user's computer. (if possible) Session variables are created, and values stored on the server. PHP script can use these variables from page to page throughout a site. Using session variables Some PHP servers automatically start a Session for every user when they visit the site. May slow things down due to unnecessary overhead. Controlled by PHP.ini file on the server. http://einstein.etsu.edu/~pittares/phptest/phpinformation.php Session operations changed in PHP 4.1, so be careful with older installationsand and reference books. 5

Starting a session In any script using sessions, you must first call session_start(). If session has not been established, this will do that. If a session has been established, this will load session data. You must start the session at the very beginning of the script as part of header transmission. Add or access session variables by using the $_SESSION superglobal array. Session Handling <?php session_start(); $_SESSION['name'] = "Dr. Tony Pittarese"; $_SESSION['office'] = "Nicks 484"; $_SESSION['phone'] = 96951;?> http://einstein.etsu.edu/~pittares/csci2910/examples/8 5.php <?php session_start(); start(); echo "Here's the session info:<br />"; foreach ($_SESSION as $var=>$contents) echo "$var: $contents<br />";?> 6

Manipulating Session ID session_id() allows you to get or set the Session ID. If no parameter, returns the Session ID. If given a parameter, sets that as the Session ID. http://einstein.etsu.edu/~pittares/csci2910/examples/8 7.php http://einstein.etsu.edu/~pittares/csci2910/examples/8 8.php Manipulating the Session data session_unset() erases all session variables and data. http://einstein.etsu.edu/~pittares/csci2910/examples/8 9.php / / / / h unset() can be used to erase a single variable and data. unset($_session['myvar']); session_destroy() destroys the session data (without destroying the session variables). Can be useful for "logging out" user. http://einstein.etsu.edu/~pittares/csci2910/examples/8 10.php http://einstein.etsu.edu/~pittares/csci2910/examples/8 11.php 7

Session variable arrays Session variables can be arrays <?php session_ start(); $_SESSION['list'][]="Hello"; $_SESSION['list'][]="Wow"; echo count($_session['list'])."<br />"; foreach ($_SESSION['list'] as $item) echo "$item<br />";?> Can be useful technique for shopping carts or other data that is accumulated over multiple page visits. http://einstein.etsu.edu/~pittares/csci2910/examples/8 12.php When and why to use Sessions Performance When performing a slow operation, storing the results for use on several pages pg is better than repeating the calculation on each. Example: storing results of SQL query Sequence When a user process takes place over a sequence of screens, storing information saves time and user input. Personalization Session variables can be used to store user color or layout preferences or facts about browsing activity. Pages can then adapt to that activity. http://einstein.etsu.edu/~pittares/csci2910/examples/8 13.php 8

Potential problems with Sessions Multiple Servers Since session information stored on server, harder to configure when multiple servers fulfill user requests. Handled typically by using a DB to store session data. Performance Additional workload for server to store and retrieve information. Garbage Collection Since user may abandon site visit, must determine session timeout values and employ garbage collection. Potential problems with Sessions Bookmarking Unlike GET parameters which can be bookmarked, dt data moved from page to page is lost when the user bookmarks a page and returns later. Security If a user can counterfeit a SESSION cookie, they could "hijack" another user's interaction session. 9

Session ID Numbers If the user allows Cookies, this will be handled automatically. If the user does not allow Cookies, then as you move from page to page you (the programmer) must manually keep up with the Session ID. Append the SID to the URL. <a href="session2.php?phpsessid=<?=sid?>">test</a> p? SS? S? Or turn on transparent SID support in the PHP configuration If Transparent SID is on If the user accepts cookies: If the user does not accept cookies: 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information