Topic 3 : Cookies & SessionsEr. Pradip Kharbuja

Statelessness• The problem with HTTP as a delivery platform is that it

is stateless.

The only data you have in the form is the data you take with you.

• This problem is solved by using

1. get

2. post

3. cookies

4. session

Statelessness [Contd.]• HTTP permits the sending of data to web pages.

• Two methods for this are provided:

1. GET

2. POST

• When it is time to send information (for example, from form elements), it is encoded by the client and then sent in one of these two ways.

Space gets replaced with a special code (%20) or +

GET• Using the GET method, the information that is encoded

gets sent as an extension to the URL.

-It will appear as something like:

-http://<url>/result.php?num=6&faces=7

• This information is available to PHP via the $_GET variable.

• We can make use of the GET protocol by changing the action in our form to GET.

Example Using GET - PHP<form action = "dice_roll_get.php" method = "get">

<p>How many dice</p>

<input type = "text" name = "num">

<p>How many faces?</p>

<input type = "text" name = "faces">

<input type = "submit" value = "Roll">

<input type = "reset" value = "Clear values">

</form>

• Develop the php page to get the number and faces & display them.

Overview of GET• It is very easy to use.

• It is extremely easy to create simple web services and APIs using GET method.

Example : Facebook, Twitter, etc.

• Parameters remain in browser history because they are part of the URL.

• Can be bookmarked.

• You can manipulate it through URLs entirely.

This is something the Post protocol does not do as easily.

Restictions of GET Method• There are restrictions on how much information can be

sent using GET.

-And on the type of information.

-It cannot send binary data, only alphanumeric characters.

• It can send a maximum of 1024 characters.

• It should never be used to send sensitive data, such as passwords.

-They get shown into the URL.

The POST Protocol• The POST protocol is most useful on a day-to-day basis.

• POST has no limitations on size of data.

• It has no limitations on data types.

You can use it to send binary data too.

• It works by placing the encoded data in a standard HTTP header.

So the data does not appear in the URL.

GET vs POSTGET POST

History

Parameters remain in

browser history because

they are part of the URL

Parameters are not

saved in browser history.

Bookmark Can be bookmarked. Can not be bookmarked.

BACK button / re-submit

behaviour:

GET requests are re-

executed but may not be

re-submitted to server

The browser usually

alerts the user that data

will need to be re-

submitted.

Parameters

can send but the

parameter data is

limited Safest to use less

than 2K of parameters,

Can send parameters,

including uploading files,

to the server.

Hack Easier to hack More difficult to hack

GET vs POST [Contd.]GET POST

Restrictions on form

data type:

Yes, only ASCII characters

allowed.

No restrictions. Binary

data is also allowed.

Security:

GET is less secure

compared to POST because

data sent is part of the

URL. So it's saved in

browser history and server

logs in plaintext.

POST is a little safer

than GET because the

parameters are not

stored in browser history

or in web server logs.

Restrictions on form

data length:

Yes, since form data is in

the URL and URL length is

restricted. A safe URL

length limit is often 2048

characters but varies by

browser and web server.

No restrictions

GET vs POST [Contd.]GET POST

Usability:

GET method should not

be used when sending

passwords or other

sensitive information.

POST method used when

sending passwords or

other sensitive

information.

Visibility:

GET method is visible to

everyone (it will be

displayed in the

browser's address bar)

and has limits on the

amount of information to

send.

POST method variables

are not displayed in the

URL.

Cached: Can be cached Not cached

Large variable values:7607 character

maximum size.

8 Mb max size for the

POST method.

The Limitations of POST and GET• That data persists only as long as the script is running.

If we reload a page that contains a script, it will usually ask if we want to resend the data.

• If we move outside the confines of a single PHP script, we will lose the data.

That is a consequence of HTTP’s statelessness.

Cookies• Cookies are used to identify a user.

• Cookies are little files stored on a user’s computer that contain certain pieces of information.

They can be read in a web page and accessed to ensure data can be available between pages.

How to Create a Cookie?• Cookies are set using the function.

-This takes two parameters – a name for the cookie and its value.

• You can add a third to define an expiration time. eg. //expires on the end of

session

eg. //expires after 60 second

• The function must appear before tag.

• Cookies are available on the next page load.-You cannot set and access a cookie in the same pass.

Cookies• Accessing Cookies using $_COOKIE

• Modifying Cookies

• Unsetting or Deleting Cookies

set the time to previous time

eg.

Cookies Exmple

Limitations of Cookies1. Not all clients support them. Cookies can be disabled on user

browsers.

2. Users can delete a cookies.

3. No security for sensitive data.

4. They can only hold a small amount of information.

5. Cookies are browser specific.

-The real work of your application should happen on the server.

Sessions• Sessions fulfill the same role, but most of the information does

not get stored on a user’s computer.

It is available only as long as their browser is open and the session is active.

• Sessions are managed by a pair of cookies.

-One on the server

-One on the client

• The client cookie contains only a reference to a session stored on the server.

-So you can't take advantage of session with cookies disabled.

Working with Sessions• To setup a session, we use the session_start( ) function of PHP.

•

• It must appear before <html> tag.

• variable is used to access & store session

•

•

•

Destroying Sessions•

• You can destroy a session completely using function.

Sessions Example

Program Architecture• PHP fits in the application layer of N-Tier architecture.

PHP

HTML

??

Presentation

Application

Data

Conclusion• HTTP is a stateless protocol.

-Which makes it a little difficult to make dynamic web pages.

• PHP offers cookies and sessions as a way to resolve this problem.

Terminology• Cookie

A small piece of data stored on a user’s computer to ease dynamic application development.

• Session

A temporary mapping between the state of a server and a client’s system.

Questions???

End of Topic 3