PHP State Maintenance (Cookies, Sessions, Hidden Inputs)

Transcription

1 PHP State Maintenance (Cookies, Sessions, Hidden Inputs)

2 What is meant by state? The Hypertext Transfer Protocol (HTTP) is stateless. This means that each time a browser requests a page, a connection from the browser/client to the server is set up for the sole purpose of transferring that particular page To maintain state means the ability to retain values of variables and to keep track of users who are logged into the system.

3 Methods for maintaining state Cookies Sessions Passing [hidden] variables

4 What is a cookie? Short pieces of text generated during web activity and stored in the user s machine for future reference Instructions for reading and writing cookies are coded by website authors and executed by user browsers Developed for user convenience to allow customization of sites without need for repeating preferences Cookies are simple text strings of the form of name=value which are stored persistently on the client s machine. A URL is stored with each cookie and it is used by the browser to determine whether it should send the cookie to the web server.

5 Cookie Facts Most Cookies store just 1 data value A Cookie may not exceed 4 Kb in size Browsers are preprogrammed to allow a total of 300 Cookies, after which automatic deletion based on expiry date and usage Limit of 20 cookies per server Cookies have 3 key attributes: name, value and expiry date

6 Cookies & Paranoia Why are Cookies notorious? Most Cookie activity is transparent to the user Most people do not understand what Cookies can and cannot do People do not know how to protect themselves from Cookies Valid reason: There are organizations out there using Cookies to track your activities (More later)

7 Cookie Scope: Cannot Do Have automatic access to personal information like name, address, Read or write data to hard disk Read or write information in cookies placed by other sites Run programs on your computer

8 Cookie Scope: Can Do Store and manipulate any information you explicitly provide to a site Track your interaction with parent site such as pages visited, time of visits, number of visits Use any information available to web server including: IP address, Operating System, Browser Type

9 Cookie Fixes: Getting in Control Turn up security level on your browser to disable cookies or prompt for cookies Delete the content of a cookie and then write protect it

10 Anatomy of a (Simple) Cookie String of text with these 6 attributes: The domain and path for which the cookie is valid The name of the cookie The value of the cookie The expiration date of the cookie Whether a secure connection needed to use the cookie

11 Working with Cookies The domain and path are automatically handled by the browser, script author has no control For a given domain and path, a script may create any number of cookies by specifying a name, value and expiry date Each (simple) cookie is stored in a separate text file in Temporary Internet Folder, but tagged to a specific domain Cookies are handled by the browser as an Object called document.cookie and read/written using object dot notation

12 Cookie Viruses? On most platforms, Cookies are stored as text only files. To cause damage the Cookie must be an executable On Windows, text files are non-executable and would open in a text editor if double clicked In general, there are easier loopholes for a hacker in ActiveX controls, Outlook Express etc The threat from Cookies is not from what they can do to your computer but what information they may store and pass on

13 Conclusion Cookies were originally created as harmless pieces of text for user convenience Along the way, some evil geniuses found a way to exploit them for business Most studies conclude are not harmful to user: Would you rather see an ad for a product that s relevant or one you d never buy? The paranoia arises from the invisible nature of cookie transactions and inadequate information about their ability.

14 Cookie Example <?php $value = 'something from somewhere'; setcookie("testcookie", $value); setcookie("testcookie", $value, time()+ 60*60*24*7); /* expire in 1 week*/?> Welcome! Here is what is stored in the cookie <?php // Print an individual cookie echo $_COOKIE["TestCookie"]; echo $HTTP_COOKIE_VARS["TestCookie"];?> // Another way to debug/test is to view all cookies print_r($_cookie);

15 Common Pitfalls Can t call setcookie() after output has been sent to the browser Can t have more than 20 cookies/server Cookies ONLY persist until the browser closes UNLESS you specify an expiry date: setcookie( name, $value, time() );

16 Sessions Sessions are just like cookies, except they store the user s data on the web server (versus cookies, which are on the client s machine) Every request has a unique session id (this is how the connection is maintained between client and server) If the browser is closed, the session id is lost

17 Session Example (first_page.php) <?php // start the session session_start(); $_SESSION['name'] = "Mr. Your Name"; $_SESSION['user_id'] = "namey"; $_SESSION['password'] = "MYPASSWORD";?> <strong>session currently contains:</strong><br/> <p>session Id: <em><?php echo session_id();?> </em></p> <pre><?php print_r($_session);?></pre> <br /> <p>to see something specific, you just need to reference the array element by name: <b><?php echo $_SESSION['name'];?></b></p> <p>let's see what happens on the <a href="next_page.php">next page.</a></p>

18 Session Example (2) next_page.php <?php // start the session, always needs to be done at the top of a page that is going to use sessions session_start(); /* you can remove a specific element off the $_SESSION array by using the unset() function. NOTE: unset() works for ANY and ALL arrays in PHP */ if(isset($_session['name'])) unset($_session['name']);?> <strong>what is on the session after "unset"'ting <em>$_session['name']</em></strong><br/> <p>session Id: <em><?php echo session_id();?></em> (same as before)</p> <pre><?php print_r($_session);?></pre> <br /> <br />Let's see what happens on the <a href="next_page2.php">next page.</a>

19 Session Example (3) next_page2.php <?php // start the session, always needs to be done at the top of a page that is going to use sessions session_start(); /* you can remove all elements off the $_SESSION array by using the session_unset() function. NOTE: the session and it's id will still exist, only it will be empty */ if(isset($_session)) session_unset();?> <strong>what is on the session after "unset"'ting <em>the whole session</em></strong><br/> <p>session Id: <em><?php echo session_id();?></em> (same as before, this is the only thing left)</p> <pre><?php print_r($_session);?></pre> <br /> <br />Let's see what happens on the <a href="next_page3.php">next page.</a>

20 Session Example (4) next_page3.php <?php // start the session, always needs to be done at the top of a page that is going to use sessions session_start(); echo "<p>session Id: <em>".session_id()." (session id is still available before the destroy) <br/><br/>"; /* you can remove all elements off the $_SESSION array, and remove the session id by using the session_destroy() function. */ if(isset($_session)) session_destroy();?> <strong>what is on the session after <em>destroying the $_SESSION[]</em></strong><br/> <p>session Id: <em><?php echo session_id();?></em> (even the session id is dumped)</p> <pre><?php print_r($_session);?></pre> <br />Let's see what happens on the <a href= next_page4.php">next page.</a><br /><br />

21 Session Example (5) next_page4.php <?php // start the session, as per session_start(); //you can get rid of all session variables using the //session_destroy() function //but first it is recommended you call the session_unset() function //it is a bug in certain versions of PHP session_unset(); //unsets the whole $_SESSION array session_destroy(); //destroys it by freeing up the memory?> Welcome to my website <strong><? echo $_SESSION['name'];?></strong>! <br />

22 Session Example (6) Sometimes (though it should not happen), calling the session_start(); will break your page To get around this, check if the session is already started, and if it is DO NOT start it again Here is the simple code to check if a session is started: <?php if(session_id() == "") { session_start(); }?> The session id will only ever be empty if the session has not already been started. Again this should not have to happen, but if calling the session_start on a page is causing the page not to display, you can try it.

23 Some Session Resources hp sion-start.php

24 Passing Hidden Variables <form method="post" action="main.php"> <?php?> $course=urldecode($_get ['course']); $student_id=urldecode($_get['student_id']); <input type="hidden" name= course" value= echo $course"> <input type="hidden" name="student_id" value= echo$student_id"> </form>