PHP version--HTTP session cookie principle and application

PHP’s COOKIE

Cookie is a mechanism that stores data on the remote browser side to track and identify users.
PHP sends cookies in the header information of the http protocol, so the setcookie() function must be called before other information is output to the browser, which is similar to the restriction on the header() function.

--------------------------------------------- -------------------------------------------------- ----------------------------------

1. Set cookie:

a .You can use the setcookie() or setrawcookie() function to set cookies. It can also be set by sending http headers directly to the client.

eg:

Php code

1. $value = 'something from somewhere';
2. setcookie( "TestCookie", $value); /* Simple cookie settings */
3. setcookie("TestCookie", $value, time( )+3600); /* Validity period 1 hour */
4. setcookie("TestCookie", $value, time()+3600, "/ ~rasmus/",
5. ".example.com", 1); /* Valid directory /~rasmus, valid domain name example.com and all its subdomains */

Set multiple cookies Variables: setcookie('var[a]','value'); Use an array to represent variables, but do not use quotation marks for his subscripts. In this way, you can use $_COOKIE[‘var’][‘a’] to read the COOKIE variable.

b. Use header() to set cookies;

header("Set-Cookie: name=$value[;path=$path[;domain=xxx.com[ ;...]]");

eg:

Php code

1. $value = 'something from somewhere';
2. header("Set-Cookie:name=$value"); -------------------------------------------------- -------------------------------------------------- -------------
2. Read cookies:

You can read browser-side cookies directly using PHP's built-in super global variable $_COOKIE.

The cookie "TestCookie" is set in the above example, now let's read:

eg:

Php code

1. print $_COOKIE['TestCookie'];

-------------------------------- -------------------------------------------------- -------------------------------------------------- --------

3.Delete cookie

Just set the valid time to be less than the current time, and set the value to empty. For example:

eg:

Php code

1. setcookie("name", " ", time()-1);

Use header() similar.

Note:

a.There is an error message when using setcookie(). It may be because there is output or space before calling setcookie(). It is also possible that your document was converted from another character set. On the other hand, the document may have a BOM signature (that is, adding some hidden BOM characters to the file content). The solution is to prevent this from happening in your document. You can also handle it a little bit by using the ob_start() function.

b.$_COOKIE is affected by magic_quotes_gpc and may be automatically escaped

c.When using it, it is necessary to test whether the user supports cookies

- -------------------------------------------------- -------------------------------------------------- ------------------------

4. Principle.

a. The server sends an http with the response Set-Cookie header, sets a cookie in the client (multiple cookies require multiple headers).

b. The client automatically sends an http cookie header to the server, and the server receives and reads it.
HTTP/1.x 200 OK
MT
                                Cache -Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                          use using using using ’ ’ s ’ s ’ s ‐   ‐ ‐ ‐ t , after receiving this line


Set-Cookie: TestCookie=something from somewhere; path=/

The browser will create a cookie file on the client’s disk and write in it:

TestCookie=something from somewhere;

This line is the result of us using setcookie('TestCookie','something from somewhere','/'); That is the result of using

header('Set-Cookie: TestCookie=something from somewhere; path=/');.

---------------------------------------- ---------Dividing line--------------------------------------- --------------------------------

PHP SESSION

session uses a cookie with an expiration time set to 0, and generates a unique identifier (a long string) called session ID synchronously on the server side. session file (you can define the saving type of the session yourself), associated with the user machine. The web application stores data related to these sessions and allows the data to be passed between pages with the user. Visitors to the website are assigned a unique identifier, a so-called SESSION ID. It is either stored in a cookie on the client side or passed via the URL. SESSION allows the user to register any number of variables and reserve them for each request. When a visitor accesses the website, PHP automatically (if session.auto_start is set to 1) or at the user's request (explicitly called by session_start() or session_register() Called implicitly) to check if a specific SESSION ID was sent in the request. If so, the previously saved environment is recreated.

The core concept of session is: extra data for jumping between web pages is saved on the server and identified by an ID. To maintain the session, the browser needs to bring this ID with each submission.

------------------------------------------------ -------------------------------------------------- ----------------------------------

There are two ways to pass session id:

a. Transmit the SESSION ID through cookies

Use session_start() to call the session. The server generates the session while generating the session file. ID hash value and session name with default value of PHPSESSID, and the variable sent to the client is (default is) PHPSESSID(session name), and the value is a 128-bit hash value. The server will interact with the client through this cookie. The value of the session variable is serialized internally by PHP and stored in a text file on the server machine. It interacts with the client's coolie whose variable name is PHPSESSID by default. That is, the server automatically sends the http header: header('Set-Cookie : session_name()=session_id(); path=/'); i.e. setcookie(session_name(),session_id());
When you jump to a new page from this page and call session_start(), PHP will check the server-side storage associated with the given ID session data, if not found, create a new data set.

b.Transmit session ID through URL

This method is only used when the user prohibits the use of cookies, because browser cookies are already universal, and for security reasons, they are not used. this method.
  xxx, session can also be passed through POST value.

--------------------------------------------- -------------------------------------------------- ----------------------------------

If the client prohibits the use of cookies, you can use the following Method:

a. Set session.use_trans_sid = 1 in php.ini or turn on the --enable-trans-sid option when compiling to let PHP automatically pass the session id across pages.
b. Manually pass the value through the URL and pass the session id through the hidden form.
c. Save session_id in a file, database, etc., and call it manually during the cross-page process.

link: http://apps.hi.baidu.com/share/detail/41643457

session can also be used when cookies are disabled: session.use_cookies in
php.ini =1, change it to 0, the session will be saved on the server side, not the client's cookie.

You can view the server's session storage location through session.save_path

session usage:

eg:

Php code

1. // page1.php
2. session_start();
3. echo 'Welcome to page #1';
4. /* Create session variable and assign value to session variable */
6. $_SESSION ['favcolor'] = 'green' ;
7. $_SESSION['time '] = time ();
8. echo '< ;br />page 2';
9. // If the client disables cookies
10. echo '
    page 2'
;
11. /*
12. By default under php5.2.1, the SID will only have a value when the cookie is written. If the session The corresponding cookie already exists , then the SID will be (undefined) empty
13. hp code
14. // page2 .php
15. session_start();
16. print $_SESSION['animal'

]; //Print out a single session

var_dump(

$_SESSION

);
1. //Print out the session value passed by page1.php
3. Delete session:
4. eg:Php code

session_dest roy(); //The first step: Delete the server-side session file , this uses

setcookie(session_name(),

'',time()-3600);

// Step 2: Delete the actual session:

$_SESSION

=

array();

// Step 3: Delete $_SESSION global variable array

1. ?>

------------------------ -------------------------------------------------- -------------------------------------------------- --

A simple example:

php code:

Php code

1. session_start();
3. if (isset($_SESSION['test_sess'])){
5. $_SESSION['test_sess ']++;
$_SESSION
6. ['test_sess'
] = 0;
8. } echo
9. $_SESSION['test_sess' ; First request to server:
10. GET /test.php HTTP/1.1
Accept: */*
11. Referer: http://localhost/ Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 1.1.4322) Host: localhost
Connection: Keep-Alive
13. Server No. Return once: HTTP/1.1 200 OK Date: Fri, 26 Aug 2005 07:44:22 GMT
Server: Apache/2.0.54 (Win32) SVN/1.2.1 PHP / 5.0.4 DAV/2
X-Powered-By: PHP/5.0.4 Set-Cookie: PHPSESSID=bmmc3mfc94ncdr15ujitjogma3; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control : no -store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache

Content-Length: 1

Keep-Alive: timeout=15, max=99 Connection: Keep -Alive Content-Type: text/html; charset=utf-8 Content-Language: Off

Second request to the server:



GET /test.php HTTP/1.1
Accept: */*
Referer: http://localhost/
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 1.1.4322) Host: localhost Connection: Keep-Alive Cookie: PHPSESSID=bmmc3mfc94ncdr15ujitjogma3

Second server Returns:

HTTP/1.1 200 OK
Date: Fri, 26 Aug 2005 07:44:23 GMT
Server: Apache/2.0.54 (Win32) SVN/1.2.1 PHP/5.0.4 DAV/2
X- Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=bmmc3mfc94ncdr15ujitjogma3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must- revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/ html; charset=utf-8
Content-Language: OFF This The header will send a cookie information to the server, telling the server that I have a cookie named PHPSESSID and the content is bmmc3mfc94ncdr15ujitjogma3. Where did this cookie come from? Look at the information returned by the server for the first time: Set-Cookie: PHPSESSID=bmmc3mfc94ncdr15ujitjogma3; path=/

This is the server writing a cookie to the client browser. The name is PHPSESSID and the value is bmmc3mfc94ncdr15ujitjogma3. This value is actually the so-called session_id.

Continue to look at the second request to the server, and the cookie PHPSESSID is still sent to the server The following conclusions can be drawn: 1. As long as the session is used, the session will be sent to the client browser through the cookie

2. Every time a request is made to the server, the local browser will attach the cookie to the request information. Sending session

In fact, session is a completely abstract concept. What session really does is, in addition to the parameters provided by http and post, is to target a user (maybe a browser, or a computer, or even It is an IP) that can save additional information. If we don't use the session provided by the system, we can also transfer data. For example, the data we originally want to store in the session can be serialized and then encrypted to form a string and passed in all URLs and forms on the page. After the server receives the page request, it takes out the secret string from get or post, uncovers it, and restores the data. This is actually the same thing as the session. It's just that this method is super bt, and it requires too much extra work to implement. From a technical point of view, session is to name the additional data to be stored between web page links with an ID and save it on the server side. The browser only needs to provide the appropriate ID for each get or post. Can obtain previously stored data. PHP uses files to save data by default. Under Unix, PHP will generally create a file name like "sess_"+$session_id under /tmp. Through this name, you can directly find the data corresponding to session_id. Therefore, the most core concept of session is: additional data for jumping between web pages is stored on the server and identified with an ID. To maintain the session, the browser needs to bring this ID with each submission.
How can the browser bring this ID with every request? The stupid way is of course to add an ID parameter to each URL link or form post. Some webmails actually do this. Of course, the easier way is to save it through cookies. But there is still a problem with the cookie solution. What to do if the browser does not support cookies? This is also stated above. The above session is the session function provided by php4 and 5. You must know that the system did not provide the session function before php4! And many cgi programs are completely self-implemented sessions. For sessions provided by php(4,5), the system will use cookies to save session_id by default. In my previous project, users all used the web on the intranet. In order to facilitate management, the browser IP is directly tied to a session, that is, the browser IP address is used instead of the sessionid. There is no cookie in this solution, but it is still a session, because it does not fall outside the definition of session.







Every time a request is made to the server, the local browser will attach the cookie to the request information In fact, it has nothing to do with the session, it is just about how cookies work in the http protocol. This cookie is written by the session_start() function. We can also write the cookie arbitrarily. As long as it is written and the validity period has not expired, the browser can send it.

The above introduces the PHP version - HTTP session cookie principle and application, including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.