Re: Cookies/Sessions and how they work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 9, 2009 at 10:26 PM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote:
> This is in two parts. First cookies. I'm a little unclear on how they
> work. From what I've read, cookies are stored by the browser. When a
> request for that cookie comes in from the server, the browser returns
> only the value, and no other data. One question: When the browser
> requests a page from a server, does it automatically search its cookies
> for that domain and send them along with the other requests? If that's
> now how it works, then how does it work?
>
> Second part is about sessions. According to the notes for the cookies
> page at php.net, it's considered bad practice to store user IDs and
> passwords in cookies. It's considered better practice to use PHP's
> native session-handling code to do this. But if a user has cookies
> turned on in the browser, then PHP will store the session information
> (possibly user ID and password) as a cookie. So what's the difference?
>
> The reference for the above is:
> http://us2.php.net/manual/en/features.cookies.php#36058
>
>
> Paul
>
> --
> Paul M. Foster
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

When a website sends the "Cookie:" in a HTTP header, the browser
decides what to do with it (or not to do). Generally, it saves the
cookie name and contents into a file. Although, various browsers
handle cookies differently, and some browsers ignore them completely
(or have options to).

Within the cookie data are various things, such as the domain and
expiration. When you point the browser to a website, the browser
checks all it's cookies and see if the website matches the "domain"
field in any of the cookies. If so, it sends the name/content of the
cookie/cookies to the site in a/an HTTP header automatically.

A very useful tool in monitoring all this and viewing what your
browser does behind the scenes is the Firefox extension "Live HTTP
Headers."
https://addons.mozilla.org/en-US/firefox/addon/3829

PHP sessions use cookies. When you call session_start() for the first
time, php randomly generates a unique hash ID for that session. It
sends it to the browser as a cookie with the name PHPSESSID (this is
customizable in php.ini). The server keeps a list of all the sessions
on the HDD (and expires them when needed, of course). When you store
any variable into the $_SESSION superglobal var, it stores the data ON
THE SERVER - nothing is sent to the browser. The browser only sends
the session ID cookie, which tells the server "hey, get the $_SESSION
data for this session ID." So it's up to the browser to send the
session cookie each time, else all the $_SESSION data is lost.

Help clear it up for ya?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux