Is there a difference between javascript cookies and php cookies?
HTTP Cookies are not a feature of PHP, nor a feature of Javascript : those are just programming languages that allow a developper to manipulate them.
The biggest difference between JS and PHP is that :
Javascript runs on the client side
PHP runs on the server side
But cookies are still the same : they are defined as a standard -- see RFC 2965.
Still, note that modern browsers implement cookies that are not accessible from Javascript *(see the `httponly` option of [`setcookie`][3])* -- which means that, depending on the browser, and the way a cookie was set, it might not be accessible from Javascript.
This is a security measure -- and is not a difference between "js cookies" and "php cookies" : it's just a property of some cookies.
No, cookies are defined by an RFC spec.
A cookie is just a file stored on the client computer, and it typically contains a name, value, and expiration. Cookies are sent within header of an HTTP page request, so they aren't immediately available (unless you use output buffering). Cookies are good for non-sensitive data, since they are easily found via the client browser settings.
Cookies can also be used in creating Session variables, which are stored on the server. In this case, the cookie value is an index that the server uses to identify its values. This is a better approach for more sensitive data, since only a "meaningless" value resides on the client computer.
With this in mind, Cookies and Session data (as well as GET and POST data) are Super Global variables, which means they can be used by both JavaScript and PHP. Again, the only catch is that cookies may not be immediately available, depending on how your script works and your output buffering settings.
Related
i am working on PHP and i know how to manage the session. But my question is, session is related to language or web server. Who is responsible to execute the session?
You are responsible for session execute by starting the session with session_start().
By default session is stored in /tmp on a Linux/Unix system. You can change it with session_save_path() method.
Also take a look in php.ini for [Session] part, it should look like this
; Handler used to store/retrieve data.
; http://www.php.net/manual/en/session.configuration.php#ini.session.save-handler
session.save_handler = files
As You can see by default it is stored as file storage, it's recommended to move session to cache i.e. memcache.
EDIT:
Maybe this post can help You: https://security.stackexchange.com/a/19054
A session token is a unique identifier that is generated and sent from a server to a client to identify the current interaction session. The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GET or POST queries. The reason to use session tokens is that the client only has to handle the identifier—all session data is stored on the server (usually in a database, to which the client does not have direct access) linked to that identifier. Examples of the names that some programming languages use when naming their HTTP cookie include JSESSIONID (JSP), PHPSESSID (PHP), CGISESSID (CGI), and ASPSESSIONID (ASP).
Sessions are a combination of two components, namely, a client-side session ID and server-side session data. well, practically it behaves like a cookie, 2 cookies which reply on each other. The Client-side can send a session ID to the server-side as a URL param, cookie, or even HTTP headers. The server then uses this session ID to find the matching session data to return to the requesting client.
so to answer your question straight up, a session is part of both the server and the client, which you maybe refer to as language. But PHP handles the execution.
additionally, You can tweak session behavior via the various session functions.
Session is generated by server but it is coupled with the language. So if you look into your browser resource you'll find your session id prefixed with the language you are using.
Is it possible start Session with out using any server side scripting like PHP.
I want start SESSION with pure HTML/HTML5./Javascript.. ?
Thanks Advance. :)
The usual meaning of the term "session" in web development is "A bucket of information stored on the server that is linked to a specific user via a token". Since the definition requires a server to be involved, no you cannot achieve that without a server.
You can store the data in a session cookie (one without an explicit expiry time that will die when the browser is closed).
In modern browsers, you can store larger amounts of data using sessionStorage.
You could set a COOKIE with Javascript (http://www.w3schools.com/js/js_cookies.asp).
If you really want a PHP Session without PHP, that's impossible. A Cookie is the closest you'll get.
On the topic of Cookies, these are stored locally on the users system and can be edited. I do not reccomend using this method if you need good security. See this blog post explaining more on this matter:
http://www.nczonline.net/blog/2009/05/12/cookies-and-security/
No its not possible. What you use in PHP is the PHP session handler.
In javascript you can use cookies to store some small data.
I was following this SO Question and this SO Question for setting up Remember Me. However when I pull up Cookies in Google I get PHP and Javascript ways to do it. Which way is better, or do I need to use both? I have a code base in PHP and Javascript and I need a starting point. I see the multitude of SO articles on javascript vs. php for cookies but that is not what I'm asking..I know the difference between server side and client side programming and what a cookie is...but could not see an explicit answer on how to set / retrieve a cookie. My assumptions would be:
For setting a cookie:
Use PHP when the user logs in and sets "Remember Me". Although the client has control at this point, the credentials must pass back to PHP for validation. Once validation is complete set a cookie and store the Token.
For checking a cookie:
Use PHP, because PHP is called first when a user requests a page from you web app the first time, so check for the cookie there and determine what data to send to the user.
So my guess is PHP both ways.
If I am correct ...if so what are javascript cookies used for?
Related
W3 Schools - PHP Cookies
PHP.net
PHP.net - Cookie Feautures
PHP.net - setcookie()
Javascript cookies are generally used for setting position/color of elements on a page, per the users preferences. For example, a site with several different themes (e.g. "dark", "light") and buttons to change the current theme on the side of the page might store the theme the user selected using a cookie, so that the next time the user visits the site the page theme will be the same. This information could also be stored server-side, but for privacy reasons it may be preferable to store client side, especially if the user doesn't have an account on the site.
The bottom line is that you should use php for any cookies that are essential to the function of your website, and use javascript cookies for superficial aspects of your site such as the theme.
The Javascript way won't work if javascript is not available, whereas setting the cookie server-side is guaranteed to work unless the user has explicitly blocked cookies. Manipulating cookies in javascript (via document.cookie) is not a fun experience, whereas PHP provides $_COOKIE (and $_SESSION which is indirectly dependant on cookies in its most common usage patterns) which are far simpler to deal with. A cookie set in PHP can be accessed in Javascript unless specified otherwise (which I'll get to) and I don't know what dealing with secure cookies (sent via https) would be like in javascript, but I don't imagine it would be pleasant.
Cookies can be set HTTP only if you use a server side technology to set them. When set, browsers that are HTTP-only cookie aware will deny access to the cookie for javascript. This is important because javascript can be used to snoop on cookies and steal their content, sending them to an eavesdropper. HTTP only cookies prevent this kind of abuse.
So in short, I'd go with PHP for setting your cookie.
if on a page i have
echo $_SESSION['user_id'];
and it echo's 1
can i access that value on a page called using ajax (on the same server & domain)
or do i need to pass that value through with the ajax request?
Yes you can access it, the same cookies are, by default, passed with an AJAX request, which is what you need for session (again, by default).
If you look at XHR requests "out of the box", you'll understand that there is generally no difference, in the client or in the server, between a "classic" HTTP request and an XmlHttpRequest.
The only difference is in the client, in two ways: you get the answer without leaving the current page, and you are free to do what you want with that in your javascript.
So in the PHP side of things everything is the same.
One point that might need some attention: if for instance the client does many asynchronous requests that might take some time to process in PHP, you'll want to be careful with the default file-based PHP sessions. An Apache/PHP process that has opened the session will essentially block other requests that also want to access the session. session_write_close() is your friend.
I have an API that is dependent on certain state information between requests. As an easy first version of the code, I am simply using PHP session's to store the state information instead of something more advanced (APC, memcache, DB). Throughout my initial testing in a web browser, everything worked perfectly. However, it seems that when clients try to connect through non-browser methods such as Curl or wget, the state information is not being preserved.
Will a PHP session only be created if a browser is requesting the page? I am explicitly starting the session with session_start() as well as naming it before hand with session_name().
An added note. I learned that one of the major problems I was having was that I was naming the session instead of setting the session id via session_id($id); My intention in using session_name() was to retrieve the same session that was previously created, and the correct way to do this is by setting the session_id not the session_name.
It seems that session information will be persisted on the server as noted below (THANK YOU). But to keep this you must pass the session id, or, as in my case, any other id that would uniquely identify the user. Use this id as the session_id and your sessions will function as expected.
Session Cookies
Remember that HTTP is stateless, so sessions are tracked on your server, but the client has to identify itself with each request. When you declare session_start(), your browser is usually setting a cookie (the "PHP Session Id"), and then identifying itself by sending the cookie value with each request. When a script is called using a request with a session value, then the session_start() function will try to look up the session. To prove this to yourself, notice that sessions die when you clear your cookies.. many will die even as soon as you quit the browser, if the cookie is a "session" cookie (a temporary one). You mentioned that you're naming the session.. take a look in your browser cookies and see if you can find a cookie with the same name.
All of this is to say that cookies are playing an active role in your sessions, so if the client doesn't support cookies, then you can't do a session the way you're currently doing it.. at least not for those alternative clients. A session will be created on the server; the question is whether or not the client is participating.
If cookies aren't an option for your client, you're going to have to find another way to pass a session id to the server. This can be done in the query string, for example, although it's a considered a bit less private to send a session id in this way.
mysite.com?PHPSESSID=10alksdjfq9e
How do to this specifically may vary with your version of PHP, but it's basically just a configuration. If the proper runtime options are set, PHP will transparently add the session id as a query parameter to links on the page (same-source only, of course). You can find the specifics for setting that up on the PHP website.
Sidenote: Years ago, this was a common problem when attempting to implement a session. Cookies were newer and many people were turning off the cookie support in their browsers because of purported security concerns.
Sidenote: #Uberfuzzy makes a good point- Using sessions with curl or wget is actually possible. The problem is that it's less automatic. A user might dump header values into a file and use the values on future requests. curl has some "cookie awareness" flags, which allow you to handle this more easily, but you still must explicitly do it. Then again, you could use this to your advantage. If curl is available on your alternative client, then you can plausibly make the call yourself, using the cookie awareness flags. Refer to the curl manual.
If you call session_start(), then a session will be created if the client isn't in an existing one. If the client doesn't support (or is configured to ignore) the cookies or querystring mechanism used to maintain the session, a new session will be created on every request.
This may bloat your session storage mechanism with unused sessions.
It might be a better idea to only call session_start() when you have something to store in the session (e.g. user login, or something else that robots aren't likely to do), if you feel this is likely to be a problem.
Will a PHP session only be created if a browser is requesting the page?
Short answer: Yes. Sessions were created specifically to solve the HTTP stateless problem by leveraging browser features. APC, memcached, DB, etc. don't matter. Those are just storage methods for the session, and will suffer from the same problem.
Longer answer: The concept of sessions were created to account for the fact that HTTP is a stateless protocol, and it turns out that state's pretty important for a wide variety of software applications.
The most common way of implementing sessions is with cookies. PHP sends the session ID in a cookie, and the browser sends the cookie with the session ID back. This ID is used on the server to find whatever information you've stored in the session. PHP has the capacity to include and read a session ID at the end of a URLs, but this assumes that users will navigate to pages on your site/application by clicking links that include a generated session ID.
In your specific case, it is possible to use cookies with curl (and possibly wget). Curl is a web browser, just one without a GUI. If it's the command line curl program you're using (as opposed to the C library, PHP extension,etc.) read up on the following options
-b/--cookie
-c/--cookie-jar
-j/--junk-session-cookies