Tutorials PHP Sessions and Cookies

Sessions and Cookies

Today we will talk about sessions and cookies. These are essential to helping users login to sites like this.

What are sessions?

Sessions are pieces of data that is saved on the server. The server then creates a session identifier, also called session id, on the user's computer. It can be set either through the cookie or the URL and links back to the data on the server. Browsers should request a new session id every time they come to the site. They are more secure than cookies because the user never has direct access to the actual data.

How do I make sessions last longer?

Session data is stored on the servers but the id that links to them is set on the user's computer. If you know the session id, it's possible to inject the id and get access to the data. Hackers often do this to steal login sessions.

But your really shouldn't do this. Session id injection creates a huge security flaw if you use sessions for security checks. You're better off setting a cookie and then restarting a new session.

How do I set sessions?

You need to use session_start to start the session every time you want to access it. Then you just assign them like a variable.

$_SESSION['weather'] = 'sunny';

What are cookies?

Cookies are what grandmother Betsy makes every time you come over to visit. That's true, but I'm talking about cookies on a website. Cookies are just pieces of data that gets stored on a visitor's computer. Whenever you see the "remember me on this computer" checkbox on a site, they use cookies. Sites like Facebook, Yahoo, and Hotmail use cookies to remember your data to log you in automatically. Cookies can survive even after the browsers have closed.

How do I set cookies?

To set a cookie you need a name for the cookie, the value, and the legnth of time for the cookie. Cookies use timestamp to calculate time.

setcookie('fruit', 'apple', time()+3600);

How do I grab the data?

All you need to do is retrieve it like any other variable.

$weather = $_SESSION['weather'];
$fruit   = $_COOKIE['fruit'];

How they're in, how do I get them out?

If you use sessions or cookies, you should have a way to remove them, especially if it holds sensitive data. Almost every site with a login function also has a logout function. For cookies, you need to select each one and give it a negative timer. To remove sessions, just use session_destroy to remove all data. Note that if you set your session id to a cookie, you should delete that also.

// Initialize the session.
// If you are using session_name("something"), don't forget it now!

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]

// Finally, destroy the session.

What if the user has cookies disabled?

Users without cookies should get with the program or get out, IMHO. By default, your server uses cookies to store the session ID. If your user has cookies disabled, your sessions will still work... on the page where you set it, but say goodbye when they refresh or move to a new page. If it's critical that users without cookies can use sessions correctly, somewhere on your web server there should be a php.ini file. Inside this file, look for the option session.use_cookies and it should be set to 1. If you set it to 0, then the session ID will be sent to the URL instead. This will ensure that all users can use sessions even if they don't have cookies.

Note: Changing this option will change it for ALL users, even users with cookies enabled. You also basically hold up a glowing neon sign that says "Please hack my website!"

Are cookies and sessions secure?

Not in their basic state. Both sessions and cookies can be faked or stolen. Whenever visitors send any data over an unsecure connection, hackers can "sniff" the data, called a man-in-the-middle attack. The only way to prevent said attack is to add SSL to your website. If you decide to use unsecured cookies or sessions for important information, like login data, it is highly recommended that you hash it to prevent manipulation. I'll talk more about some tricks you can add to deter most hackers in a later tutorial.

And that's all for today folks! Keep in mind that unsecured data going between a computer and your server can be "sniffed" by a third party. If you are paranoid about your website security, SSL is a must. If you don't have SSL encryption, I'll show you some tricks in a later tutorial.

Posted by on . Category: PHP


No comments posted yet

You need to register or login to post new comments.