ask cookies n session.cookie

Pehape · 2006-10-03T12:17:51+00:00

hii...i want to ask: how many ways or function could we use to create cookies? what are the different between setcookies and session.use.cookies? are t...

ask cookies n session.cookie

Pehape

hii...i want to ask:

how many ways or function could we use to create cookies?
what are the different between setcookies and session.use.cookies?
are they have same use...?
setcookies has its lifetime (in the declaration/use) hasn't it ? so why there is a session.cookie_lifetime function?

thankss..

ClarkF1

For question 2

If a user has disabled cookies in their browser the session id and perhaps other variables get added to the URL so you get URLs like login.php?PHPSESSID=3434knkkknfkdf33434

Using session.use.cookies means that sessions won't work at all unless Cookies are enabled.

setcookie is used to set an ordinary cookie which won't get deleted when the browser is closed unlike a session cookie

bpat1434

1.) You can use only one way to create a cookie: [man]setcookie/man.
2.) [man]setcookie/man will actually store a text file on the users computer than can be accessed later after your script has finished execution. This text file can be updated with information as you need to change it. session.use.cookies specifies whether to store the session ID as a cookie for security purposes. It does not interfere with how session variables are stored.
3.) The cookie will have a lifetime and not expire until expressly told to expire, or the lifetime is reached/exceeded. THe session cookie lifetime is only valid during the time the session is open. It could be used (as an example) of a way to automatically invalidate a session so they must re-authenticate after a certain amount of time.

According to the PHP manual, the reason this is here is so that you store the session ID as a cookie rather than sending it through the URL. This is a security feature.

PHP Manual: session.use_cookies

acac

I'm confused about cookie.

in php settings, there are two configuration options:
session.cache_expire (value 180), session.cookie_lifetime (value 0).

What are differences between them?

I use this code to create a simple login/logout page. But after closing the browser, I'm still logged in (although the session.cookie_lifetime is set to zero). Does the option session.cache_expire (value 180) cause that behaviour.

login.php

<?php
	session_start();
?>

<html>
<head>
<title>Login Form</title>
</head>
<body>
<h1>Welcome to homepage !</h1>
<?php

if (!isset($_SESSION['valid_user']))
{
	$username = $_REQUEST['username'];
	$password = $_REQUEST['password'];

	if (empty($username) || empty($password))
		echo 'Please enter your username and password.<br>';
	else
	{
		// neu da danh username va password thi se check voi csdl
		$db = new mysqli('localhost', 'tiger', '123456', 'auth');
		if (mysqli_connect_errno())
		{
			echo 'Could not connect to database.<br>';
			exit();
		}
		$query = 'select name from authorized_users where name = \''.$username.'\''.
				 ' and password = sha1(\''.$password.'\')';
		$result = $db->query($query);
		if ($result->num_rows > 0)
			$_SESSION['valid_user']	= $username;
		else 
			echo 'You have provided wrong username and password.<br>';

		if ($result) $result->free();
		$db->close();
	}
}


// neu da log in roi
if (isset($_SESSION['valid_user']))
{
	echo '<p>You have logged in as <strong>'.$_SESSION['valid_user'].'</strong><br>';
	echo '<p>Click <a href=\'logout.php\'>here</a> to logout.<br>';
}
else 
{
?>

<form action="login.php" method="POST">
	<table border="0">
	<tr>
		<td>Username: </td>
		<td><input type="text" name="username" size="30" maxlength="30"></td>
	</tr>
	<tr>
		<td>Password: </td>
		<td><input type="password" name="password" size="30" maxlength="30"></td>
	</tr>
	<tr>
		<td></td>
		<td><input type="submit" value="Log In"></td>
	</tr>
	</table>
</form>

<?php
	}
?>

</body>
</html>

logout.php

<?php
	session_start();
?>
<html>
<head>
<title>Logout</title>
</head>
<body>
<h1>Logout page !</h1>
<?php
	if (isset($_SESSION['valid_user']))
	{
		unset($_SESSION['valid_user']);
		session_destroy();
		echo 'You have logged out successfully.<br>';
	}
	else 
		echo 'You have not logged in yet, so you can\'t logout. Sorry.<br>';
?>
<p>Click <a href="login.php">here</a> to back to login page</p>
</body>
</html>

thank u

bpat1434

The session cache can cause that issue.

Basically, a cookie is a literal text file that resides on the users computer and will not be deleted until the browser sees it's expired or a script destroys it. A session is kept server-side and will not expire completely until it clears its cache (the cache expire limit). So if you have a session, store the ID in a cookie, close your browser, come back within that session expire limit, you will essentially "restore" your old session.

Best thing to do when dealing with sessions is to always destroy the session properly.

acac

thank u 🙂

Pehape

thank you all,
is sessionid automatically created?

could you give me code examples to see the benefit of using sessionid or how to create and check it?
thanks