php 08 sessions cookies redirect

8/10/2019 PHP 08 Sessions Cookies Redirect

1/56

Cookies, Sessions, andAuthenticationDr. Charles Severance

www.php-intro.com


2/56

High Level Summary

The web is stateless- the browser does not maintain connection to the server while you are looking at a pagmay never come back to the same server - or it may betime - or it may be one second later

So we need a way for servers to know which browser

In the browser state is stored in Cookies

In the server state is stored in Sessions


3/56

Other Web sites always seem to know who you ar


4/56

Multi-User

When a server is interacting with many different browsesame time, the server needs to know *which* browser particular request came from

Request / Response initially was stateless - all browseidentical - this was really really bad and did not last verall.


5/56

Web Cookies to the Resc

http://en.wikipedia.org/wiki/HTTP_cookie

Technically, cookies are arbitrary pieces of data cho

the Web server and sent to the browser. The brow

returns them unchanged to the server, introducing a

(memory of previous events) into otherwise stateles

transactions. Without cookies, each retrieval of a We

or component of a Web page is an isolated event, m

unrelated to all other views of the pages of the sam


6/56http://en.wikipedia.org/wiki/HTTP_cookie


7/56

Cookies In the Browser

Cookies are marked as to the web addresses they comthe browser only sends back cookies that were originathe same web server

Cookies have an expiration date - some last for years -are short-term and go away as soon as the browser is


8/56


9/56


10/56

http://www.php-intro.com/code/sessions/sessfuIn a fresh browser.


11/56


12/56

Sessions


13/56

In The Server - Session

In most server applications, as soon as we meet a new- we create a session

We set a session cookie to be stored in the browser whindicates the session id in use

The creation and destruction of sessions is handled byframework or some utility code that we just use to mansessions


14/56

Session Identifier

A large, random number that we place in a browser coofirst time we encounter a browser.

This number is used to pick from the many sessions thserver has active at any one time.

Server software stores data in the session which it wanfrom one request to another from the same browser.

Shopping cart or login information is stored in the sesthe server


15/56

PHP Sessions


16/56

PHP Sessions

We can establish / initialize a PHP Session by casession_start()before any output has come out

If the user has cookies set, we can use the array$_SESSIONto store data from one request to thwith a particular browser

We have a bit of data that persists from one requthe next

By default these are stored in a temporary folder


17/56

(On a Mac) /Applications/MAMP/tmp/php


18/56

http://php.net/manual/en/function.sess


19/56

http://php.net/manual/en/function.sessi


20/56

p p// Note - cannot have any output before thissession_start();

if ( ! isset($_SESSION['value']) ) {echo("

Session is empty
\n");
$_SESSION['value'] = 0;} else if ( $_SESSION['value'] < 3 ) {$_SESSION['value'] = $_SESSION['value'] + 1;echo("

Added one...
\n");
} else {session_destroy();session_start();

echo("

Session Restarted
\n");}
?>

Click Me!

Our Session ID is:


21/56

sessfun.php


22/56


23/56

POST / Redirect / GET

Once you do a POST, if you do refresh, the browre-send the POST data a second time

The user gets a popup that tries to explain what to happen


24/56

guess.php

Press Refresh


25/56

No Double Posts

Typically POST requests are adding or modifyingwhilst GET requests view data

It may be dangerous to do the same POST twicewithdrawing funds from a bank account)

So the browser insists on asking the user (out of control)

Kind of an ugly UX / bad usability


26/56

HTTP Location Header

If your application has not yet sent any data, it caa special header as part of the HTTP Response

The redirect header includes a URL that the browsupposed to forard itself to

It was originally used for web sites that moved froURL to another

http://en.wikipedia.org/wiki/UR


27/56

http://php.net/manual/en/function.header.php


28/56

session_start();if ( isset($_POST['where']) ) {

if ( $_POST['where'] == '1' ) {header("Location: redir1.php");return;

} else if ( $_POST['where'] == '2' ) {

header("Location: redir2.php?parm=123");return;

} else {header("Location: http://www.dr-chuck.com");return;

}}

?>

I am Router Two...

Where to go? (1-3)


29/56


30/56

After we entered "2"

and pressed "Submit"

Twopageswere

retrieved


31/56

Secondpage


32/56

POST Redirect Rule

The simple rule for pagesintended for a browser is tonevergenerate a page withHTML content when the appreceives POST data

Must redirect somewhere - evento the same script - forcing thebrowser to make a GET after thePOST


33/56

$message = false;if ( isset($_POST['guess']) ) {

// Trick for integer / numeric parameters$guess = $_POST['guess'] + 0;if ( $guess == 42 ) {

$message = "Great job!";} else if ( $guess < 42 ) {

$message = "Too low";} else {

$message = "Too high...";}

}?>

A Guessing game

Guessing game...

Input Guess


34/56

$message = false;if ( isset($_POST['guess']) ) {





}?>

A Guessing game

Guessing game...

Input Guess

...


35/56

$message false;if ( isset($_POST['guess']) ) {





}?>

A Guessing game

Guessing game...

Input Guess

A Guessing game

Guessing game...

Input Guess


36/56

(


37/56

A Guessing game


38/56

Enter "41" and p"Submit"


39/56

Press "Refresh


40/56


41/56

Login / Logout

Having a session is not the same as being logged in.

Generally you have a session the instant you connect tsite

The Session ID cookie is set when the first page is deli

Login puts user information in the session (stored in the

Logout removes user information from the session

Simple address


42/56

http://www.php-intro.com/code/sessions/

Simple addresssession as s


43/56

?>


44/56

Please Log In

Account:


45/56


46/56

?>Online Address Book


47/56

if ( ! isset($_SESSION["account"]) ) { ?>Please Log In to start.

Please enter your address:

Street:


48/56

PHP Sessions Without


49/56

PHP Sessions WithoutCookies

For a simple application handling login, logout, ashopping cart like information, cookie sessions asufficient

But if an application needs to function within an ifor have more than one session active (i.e. multip

to the same site) we cannot use session cookies

PHP has nice support for maintaining a sessionsa cookie


50/56


51/56


52/56

No Cookies for You!


53/56

?>

Click This Anchor Tag!


54/56

A whole host of problems

Session id is notautomatically added in JavaScrAjax, Redirect, or other elements of HTML

With the session id on the URL, folks can email U

even bookmark them and be logged in We will come back to these...

S


55/56

Summary

Cookies

Sessions

Sessions in PHP

Login / Logout

POST / Redirect Pattern

Cookie-free sessions

Acknowledgements / Contributions


56/56

These slides are Copyright 2010- Charles R. Severance(www.dr-chuck.com) as part of www.php-intro.com and madeavailable under a Creative Commons Attribution 4.0 License.Please maintain this last slide in all copies of the document tocomply with the attribution requirements of the license. If you

make a change, feel free to add your name and organizationto the list of contributors on this page as you republish thematerials.

Initial Development: Charles Severance, University ofMichigan School of Information

Insert new Contributors and Translators here including namesand dates

Continue new Contributors and T

php 08 sessions cookies redirect

Documents