PHP and HTTP cookies
Jussi Pohjolainen
HTTP Cookie [source: wikipedia]
- HTTP cookie is a small text-fragment that is stored in user's
browser.
- Cookie is sent from server to browser then sent back.
- Are used for authenticating, tracking and maintaining specific
information about users.
- Cookies are not a computer programs or spyware or
viruses. There are just simple pieces of data that lies
in the browser.
Purpose of cookies
- To differentiate users, example: virtual
shopping basket
- Authentication: web application knows that
the user has succesfully logged in.
- Personalization: web application has
different layouts for different users.
- Tracking users: statistic reasons.
In technical perspective
- Cookie is a piece of information that is sent to the
browser
- Browser sents the cookie back to the server
- Result: Web pages are no longer stateless
- Cookie can have a deletion date. If date isnot specified
cookie will be deleted when browser quits
HTTP Request
- Request to server:
GET /index.html HTTP/1.1
- Response from server:
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value
(content of page [html])
- Request to server
GET /spec.html HTTP/1.1
Cookie: name=value
Accept: */*
Browser support
- Modern browsers support cookies, but the user can block
cookies if he/she wants to! FireFox Cookie manager:
Cookie drawbacks
- Identification: if user uses more than one browser? If more
than one user uses the same browser?
- Cookie theft: Cookies can be sniffed by other computers.
Cookies should not have sensitive information!
- Cookie poisoning: if attacker modifies cookie and sends the
modified one to the server
- Inconsistent state: "Back"-button doesn't work..
Setting cookie from PHP
- Cookies are set normally from a server-side script. PHP has
functions for setting and querying cookies.
- Setting the cookie:
setcookie ( string name [,
string value [, int expire [, string path [, string domain [, int
secure]]]]])
name = The name of the cookie.value = The value of the cookieexpire = The time the cookie expires.
time()+60*60*24*30 will set the cookie to expire
in 30 dayspath = The path on the server in which the
cookie will be available on.domain = The domain that the cookie is
available.secure = Indicates that the cookie should
only be transmitted over a secure HTTPS connection
(true|false)
- Important! Cookie must be set before printing
any (x)html
Examples of setting cookie with PHP
setcookie("name", "Jack");setcookie("name", "Jack", time()+60);setcookie("name", "Jack", time()+60*60,
"/~pohjus/");
Reading and destroying the cookie
- Cookies are very easy to read. Form values are read by using
arrays
$_GET and $_POST. PHP has similar
array for cookies: $_COOKIE.
- Setting the cookie:
setcookie("name",
"Jack");
- Reading the cookie:
$value =
$_COOKIE["name"];
- To destroy the cookie, set cookies expiration date to
"negative":
setcookie("name", "Jack", time()-1);
Examples
- Simple Cookie -
Very simple demonstration how cookies work. Reload the page to see
the cookie's value in browser.
- Cookies and
multiple pages - Three pages and one cookie. User is
identified by using the cookie. User can set the cookie by
"logging in" and unset the cookie by "logging out".
Exercises
- Make a simple "hello world" php - code and use
setcookie-function after printing some (x)html-code.
Want kind of error message do you get? Why?
- Move the
setcookie - function to top of your
php-code. Run your code and find the cookie from your browser (in
Firefox: Cookie Manager)
- Modify this game so that
the player can play the game using money. When the game starts,
user has five euros. Each round costs one euro and when the the
fruits are same, player wins three euros. Game notifies all the
time how much money is left. When user has no money left, game
asks from the user if he/she wants to start a new game. Use
cookies to implement the functionalities.
