CSE 134A Lecture Notes, October 10, 2001

CSE134A LECTURE NOTES

October 10, 2001

ANNOUNCEMENTS

The midterm will be on Wednesday October 31, in class. That's Halloween but the exam won't be scary!

Today's handout is about session management in PHP.

COOKIES

[These notes on cookies are adapted from the PHP manual.]

int setcookie (string name [, string value [, int expire [, string path [, string domain [, int secure]]]]])

This defines a cookie to be sent along with the rest of the header information. Cookies must be sent before any other headers are sent (this is a restriction of cookies, not PHP). This requires you to place calls to this function before any <html> or <head> tags.

All the arguments except the name argument are optional. If only the name argument is present, the cookie by that name will be deleted from the remote client. You may also replace any argument with an empty string ("") in order to skip that argument. The expire and secure arguments are integers and cannot be skipped with an empty string. Use a zero (0) instead. The expire argument is a regular Unix time integer as returned by the time() or mktime() functions. The secure indicates that the cookie should only be transmitted over a secure HTTPS connection.

Common pitfalls:

If only the name argument is present, the cookie by that name will be deleted from the remote client.
Cookies will not become visible until the next loading of a page that the cookie should be visible for.
Cookies must be deleted with the same parameters as they were set with.

The text above is adapted from the PHP manual.

SESSION MANAGEMENT

The information here is taken from Session Handling with PHP 4 by Tobias Ratschiller, published at http://www.zend.com/zend/tut/session.php?print=1

Session management is a mechanism to maintain state about a series of requests from the same user across some period of time. The term "session" refers to the time that a user is at a particular web site. HTTP has no mechanism to maintain state: individual requests aren't related to each other. The web server can't easily distinguish between single users and doesn't know about user sessions.

Session management refers to a way to associate data with a user during a visit to a Web page. For example, a typical online shopping session might include logging in, putting an item into the shopping cart, going to the checkout page, entering address and credit card data, submitting the order, and closing the browser window. PHP 4.0 includes native session management functions to ease the task of managing user sessions.

PHP's session management library offers the key characteristics required of a session management library:

It stores session data on the server. Because the library uses different storage modules, you can keep the data in plain text files, shared memory, or databases. The exact location of data is not really important (as long the performance of the medium is sufficient).
It uses a cryptographically random session ID to identify a user.
It saves the session ID (and only the session ID) on the client side using cookies, GET/POST, or the script path.
If the user disables cookies, the application can use other means of session propagation.

To associate session data with a user, you need a session identity number: a key that ties the user to his data. PHP 4.0's session management frees you from the task of inventing session IDs and storing session data.

SESSION PROPAGATION

Be sure you understand the general principle of what a session is. On the client side, the session id must be propagated from each web page to the next web page within the session. On the server side, the session id must be propagated from each script execution to the next script execution within the session.

I drew some pictures in class to illustrate this concept.

STARTING A SESSION

A PHP 4 session is started either explicitly by session_start(), or implicitly by registering a variable for the session, using session_register(). Usually, you will call session_start() on top of the page, so that session variables are available to your script, and register variables to the session later in the script. It wouldn't make a difference though, if you registered your session variables with session_register() in the head of the script and left out the session_start() call, because session_register() calls session_start() internally, if the session isn't started yet.

When you start a session either way, the following happens:

PHP checks whether a valid session ID exists.
If there is no session ID, PHP creates a new ID.
If a valid ID exists, the frozen variables of that session are reactivated and introduced back to the global namespace.

The session_register() command allows you to create variables which are stored throughout the session. All variables you want to preserve across page requests must be registered.