I was following this SO Question and this SO Question for setting up Remember Me. However when I pull up Cookies in Google I get PHP and Javascript ways to do it. Which way is better, or do I need to use both? I have a code base in PHP and Javascript and I need a starting point. I see the multitude of SO articles on javascript vs. php for cookies but that is not what I'm asking..I know the difference between server side and client side programming and what a cookie is...but could not see an explicit answer on how to set / retrieve a cookie. My assumptions would be:
For setting a cookie:
Use PHP when the user logs in and sets "Remember Me". Although the client has control at this point, the credentials must pass back to PHP for validation. Once validation is complete set a cookie and store the Token.
For checking a cookie:
Use PHP, because PHP is called first when a user requests a page from you web app the first time, so check for the cookie there and determine what data to send to the user.
So my guess is PHP both ways.
If I am correct ...if so what are javascript cookies used for?
Related
W3 Schools - PHP Cookies
PHP.net
PHP.net - Cookie Feautures
PHP.net - setcookie()
Javascript cookies are generally used for setting position/color of elements on a page, per the users preferences. For example, a site with several different themes (e.g. "dark", "light") and buttons to change the current theme on the side of the page might store the theme the user selected using a cookie, so that the next time the user visits the site the page theme will be the same. This information could also be stored server-side, but for privacy reasons it may be preferable to store client side, especially if the user doesn't have an account on the site.
The bottom line is that you should use php for any cookies that are essential to the function of your website, and use javascript cookies for superficial aspects of your site such as the theme.
The Javascript way won't work if javascript is not available, whereas setting the cookie server-side is guaranteed to work unless the user has explicitly blocked cookies. Manipulating cookies in javascript (via document.cookie) is not a fun experience, whereas PHP provides $_COOKIE (and $_SESSION which is indirectly dependant on cookies in its most common usage patterns) which are far simpler to deal with. A cookie set in PHP can be accessed in Javascript unless specified otherwise (which I'll get to) and I don't know what dealing with secure cookies (sent via https) would be like in javascript, but I don't imagine it would be pleasant.
Cookies can be set HTTP only if you use a server side technology to set them. When set, browsers that are HTTP-only cookie aware will deny access to the cookie for javascript. This is important because javascript can be used to snoop on cookies and steal their content, sending them to an eavesdropper. HTTP only cookies prevent this kind of abuse.
So in short, I'd go with PHP for setting your cookie.
Related
I am creating a simple site and am a little stuck on what to do for my users if their cookies are disabled. If one is to login and left idle for a couple minutes how would I keep that user logged in and identified if their cookies are disabled?
If cookies are blocked, your options are:
Pass the session ID in the URL as a parameter.
Embed the session ID in the page (in a hidden element, of course), and refer to it using JavaScript.
As a side note, recently I've seen several sites saying that my browsing experience would be severely limited, as long as cookies are disabled in my browser. Depending on how much I need the site's function, I'll either enable cookies, use a different browser with cookies enabled, or decide to skip the site altogether.
Another option that works in modern browsers is to utilize Web Storage. This is also suggested as a preferred replacement to cookies. (browser support)
First check if cookies or Web Storage is available in the browser, use which you prefer to set your values to check there. You could then fall back to the hidden session data that #TravelingTechGuy suggested, then from there you could ask your users to comply or restrict access.
I agree that session data in the URL isn't a good idea for the reasons mentioned in comments to the OP.
The only downside (that I can think of ATM) to the "on page hidden session data" would be potentially back end "session leak" in code. You wouldn't want to accidentally send back a wrong session ID to the client in HTML since you have to persist that data in the page by sending it to the server and back each time (unless you utilize some single page app style to keep that session data local only). Preferably you only want to check a submitted session ID and react from there.
If you suspect you may lose user base that may impact your service because of some restriction, it would be best to try and provide as many checks and fallbacks as possible.
You could have a try on Flash cookies. If you get a copy of Flash 5, it works without permission (it wasn't even documentated, but it works). It would really be a dirty hack though.
Is it possible start Session with out using any server side scripting like PHP.
I want start SESSION with pure HTML/HTML5./Javascript.. ?
Thanks Advance. :)
The usual meaning of the term "session" in web development is "A bucket of information stored on the server that is linked to a specific user via a token". Since the definition requires a server to be involved, no you cannot achieve that without a server.
You can store the data in a session cookie (one without an explicit expiry time that will die when the browser is closed).
In modern browsers, you can store larger amounts of data using sessionStorage.
You could set a COOKIE with Javascript (http://www.w3schools.com/js/js_cookies.asp).
If you really want a PHP Session without PHP, that's impossible. A Cookie is the closest you'll get.
On the topic of Cookies, these are stored locally on the users system and can be edited. I do not reccomend using this method if you need good security. See this blog post explaining more on this matter:
http://www.nczonline.net/blog/2009/05/12/cookies-and-security/
No its not possible. What you use in PHP is the PHP session handler.
In javascript you can use cookies to store some small data.
I want to put in the PHP session an information if the client uses HTML5 or not.
My HTML5 detection is launched only 1 time and need to store the information in the PHP session, sending from HTML to PHP is easy with a simple cookie, but if the client doesn't accept cookies it's harder.
Sending a GET variable to php is a possibility but on the 1st load we don't have the information.
Or maybe there is another way to store an information without PHP that works on none-cookied browsers ?
Thank you very much.
PHP sessions don't DEPEND on cookies, but they sure are a lot easier to work with. You can have PHP auto-embed the session ID into URLs for you, but it's a very nasty security hole - the user's session ID will leak onto any sites you link to via the referer, and makes it impossible to properly bookmark your site.
If you do want to chance that, then look up trans_sid settings in your php configuration.
So finally I did it differently.
Instead of detecting on the page itself that required me to call jQuery or other plugins, I call it from the main page and send the data to the called page.
Like that I got it in PHP on that page.
Is there a difference between javascript cookies and php cookies?
HTTP Cookies are not a feature of PHP, nor a feature of Javascript : those are just programming languages that allow a developper to manipulate them.
The biggest difference between JS and PHP is that :
Javascript runs on the client side
PHP runs on the server side
But cookies are still the same : they are defined as a standard -- see RFC 2965.
Still, note that modern browsers implement cookies that are not accessible from Javascript *(see the `httponly` option of [`setcookie`][3])* -- which means that, depending on the browser, and the way a cookie was set, it might not be accessible from Javascript.
This is a security measure -- and is not a difference between "js cookies" and "php cookies" : it's just a property of some cookies.
No, cookies are defined by an RFC spec.
A cookie is just a file stored on the client computer, and it typically contains a name, value, and expiration. Cookies are sent within header of an HTTP page request, so they aren't immediately available (unless you use output buffering). Cookies are good for non-sensitive data, since they are easily found via the client browser settings.
Cookies can also be used in creating Session variables, which are stored on the server. In this case, the cookie value is an index that the server uses to identify its values. This is a better approach for more sensitive data, since only a "meaningless" value resides on the client computer.
With this in mind, Cookies and Session data (as well as GET and POST data) are Super Global variables, which means they can be used by both JavaScript and PHP. Again, the only catch is that cookies may not be immediately available, depending on how your script works and your output buffering settings.
I have an API that is dependent on certain state information between requests. As an easy first version of the code, I am simply using PHP session's to store the state information instead of something more advanced (APC, memcache, DB). Throughout my initial testing in a web browser, everything worked perfectly. However, it seems that when clients try to connect through non-browser methods such as Curl or wget, the state information is not being preserved.
Will a PHP session only be created if a browser is requesting the page? I am explicitly starting the session with session_start() as well as naming it before hand with session_name().
An added note. I learned that one of the major problems I was having was that I was naming the session instead of setting the session id via session_id($id); My intention in using session_name() was to retrieve the same session that was previously created, and the correct way to do this is by setting the session_id not the session_name.
It seems that session information will be persisted on the server as noted below (THANK YOU). But to keep this you must pass the session id, or, as in my case, any other id that would uniquely identify the user. Use this id as the session_id and your sessions will function as expected.
Session Cookies
Remember that HTTP is stateless, so sessions are tracked on your server, but the client has to identify itself with each request. When you declare session_start(), your browser is usually setting a cookie (the "PHP Session Id"), and then identifying itself by sending the cookie value with each request. When a script is called using a request with a session value, then the session_start() function will try to look up the session. To prove this to yourself, notice that sessions die when you clear your cookies.. many will die even as soon as you quit the browser, if the cookie is a "session" cookie (a temporary one). You mentioned that you're naming the session.. take a look in your browser cookies and see if you can find a cookie with the same name.
All of this is to say that cookies are playing an active role in your sessions, so if the client doesn't support cookies, then you can't do a session the way you're currently doing it.. at least not for those alternative clients. A session will be created on the server; the question is whether or not the client is participating.
If cookies aren't an option for your client, you're going to have to find another way to pass a session id to the server. This can be done in the query string, for example, although it's a considered a bit less private to send a session id in this way.
mysite.com?PHPSESSID=10alksdjfq9e
How do to this specifically may vary with your version of PHP, but it's basically just a configuration. If the proper runtime options are set, PHP will transparently add the session id as a query parameter to links on the page (same-source only, of course). You can find the specifics for setting that up on the PHP website.
Sidenote: Years ago, this was a common problem when attempting to implement a session. Cookies were newer and many people were turning off the cookie support in their browsers because of purported security concerns.
Sidenote: #Uberfuzzy makes a good point- Using sessions with curl or wget is actually possible. The problem is that it's less automatic. A user might dump header values into a file and use the values on future requests. curl has some "cookie awareness" flags, which allow you to handle this more easily, but you still must explicitly do it. Then again, you could use this to your advantage. If curl is available on your alternative client, then you can plausibly make the call yourself, using the cookie awareness flags. Refer to the curl manual.
If you call session_start(), then a session will be created if the client isn't in an existing one. If the client doesn't support (or is configured to ignore) the cookies or querystring mechanism used to maintain the session, a new session will be created on every request.
This may bloat your session storage mechanism with unused sessions.
It might be a better idea to only call session_start() when you have something to store in the session (e.g. user login, or something else that robots aren't likely to do), if you feel this is likely to be a problem.
Will a PHP session only be created if a browser is requesting the page?
Short answer: Yes. Sessions were created specifically to solve the HTTP stateless problem by leveraging browser features. APC, memcached, DB, etc. don't matter. Those are just storage methods for the session, and will suffer from the same problem.
Longer answer: The concept of sessions were created to account for the fact that HTTP is a stateless protocol, and it turns out that state's pretty important for a wide variety of software applications.
The most common way of implementing sessions is with cookies. PHP sends the session ID in a cookie, and the browser sends the cookie with the session ID back. This ID is used on the server to find whatever information you've stored in the session. PHP has the capacity to include and read a session ID at the end of a URLs, but this assumes that users will navigate to pages on your site/application by clicking links that include a generated session ID.
In your specific case, it is possible to use cookies with curl (and possibly wget). Curl is a web browser, just one without a GUI. If it's the command line curl program you're using (as opposed to the C library, PHP extension,etc.) read up on the following options
-b/--cookie
-c/--cookie-jar
-j/--junk-session-cookies