php session management

php session management - Transcript

P H P S e s s io n M a n a g e m e n t
P r o f J i m W h i te h e a d C M P S 1 8 3 S p rin g 2 0 0 6 M ay 5 2006

S e s s io n M a n a g e m e n t
In Web applications it is frequently desirable to
Remember if a user has visited a site previously Remember the sequence of pages visited during a session Associate information with a user session
L ik e a s h o p p in g b a s k e t

To accomplish these things need to have stateful connections between client and server
That is association information state with the connection HTTP was originally designed to not be stateful leading to the addition of the Cookie mechanism

C o o k ie s
A mechanism for adding state to HTTP requests Permits name value pairs to be preserved across multiple HTTP requests Basic approach
S e r v e r s e n d s a S e t C o o k ie H T T P h e a d e r in its r e s p o n s e V a lu e o f th e h e a d e r in c lu d e s n a m e v a lu e p a ir s T h e c lie n t s to r e s th e n a m e v a lu e p a ir s a n d p r o a c tiv e ly s e n d s th e m to th e s e r v e r in th e C o o k ie h e a d e r w ith e v e r y r e q u e s t th e r e a fte r T h e C o o k ie p r o to c o l p ig g y b a c k s o n to p o f H T T P
Information flow is in the reverse direction of most HTTP requests client
GET 200 OK Set Cookie name value name value GET Cookie name value name value

server

C o o k ie s i n P H P
How Cookies are set in PHP
Use built in setcookie function Most simple form is setcookie name value

It is also possible to specify when the cookie will expire the URL path and domain for which it applies defaults to those of request URI Accessing Cookie values
local variable COOKIE name

To delete a cookie use setcookie with the same cookie name and an expiration value in the past

Problems with Cookies
P r o b l e m s w i th C o o k i e s
Browsers can refuse to accept cookies Additionally it adds network overhead to send lots of information back and forth There are also limits to the amount of information that can be sent Some information you just don t want to save on the client s computer

P H P S e s s io n s
The solution store session information on the server and have the client only store an identifier for its information as stored on the server The identifier is known as a session ID The session ID is stored using a cookie can be passed as a GET parameter as well The server then uses the session ID to retrieve the information it has stored on the server Session information is typically stored in files on the server though options exist for using shared memory and also writing your own handlers e g to use a database for storage

U s in g S e s s io n s i n P H P
To start a session
s e s s io n s ta r t C r e a te s a s e s s io n id e n tifie r S e s s io n id e n tifie r is p a s s e d b e tw e e n c lie n t a n d s e r v e r e ith e r a s a C o o k ie o r in G E T p a r a m e te r s

Then can create access and modify session variables
S E S S IO N s e s s io n v a r n a m e v a lu e SESSION is only available once you call session start local variable SESSION session var name C a n c h e c k if s e s s io n v a ria b le is s e t b y u s in g i s s e t

To end a session
session destroy

Security of Session Data
In general cannot guarantee that session data will remain private Often the session data files can be read by any web application on the same server The session ID can be grabbed by looking at the GET parameters for GET based passing of the session ID or by eavesdropping the on the wire protocol to get the cookie with the session ID
If th e s e s s io n h o ld s a p a s s w o r d s o m e o n e c a n th e n r e p la y th e s e s s io n ID b a c k to th e s e r v e r

Cookie data though stored on the client side are sent across the wire in the clear
C lie n t m a c h in e s m ig h t b e c o m p ro m is e d s u c h a s b y m a lic io u s s o ftw a r e in a d v e r te n tly d o w n lo a d e d o r b y a v ir u s