CS 330 Class 12

1
CS 330 Class 12

• Programming plan for Nov 19, 2007
• More databases
• left over editUser.php
• integrated user management users.php
• Sessions and cookies

2
Homework

• Look at examples for managing the table of books
• What's wrong with my solution?
• Questions on projects?

3

• Left over editUser.php
• Default HTML a form for selecting the user to
  edit
• When submitted
• present information for that user and accept
  modifications
• submit and update the database
• Organization a POST variable to indicate action
• 1. if updateName is set, process update query
• 2. if editName is set
• present old information for editName in a
  form
• user enters changes
• pass updateName and changed data to step 1
• 3. Neither
• present list of users
• select user to edit
• pass editName to Step 2

4
Code Version

• //UPDATE USER IF COMING FROM EDITING DATA (1)
• if (isset(_POST"updateName"))
• //formulate and make an update query)
• //EDIT DATA FOR SELECTED USER IF COMING FROM USER
  SELECTION (2)
• if (isset(_POST"editName"))
• //print the user information
• //upon selection, go to 1
• //SELECT A USER TO EDIT (3)
• else
• //print the dropdown list of users
• //upon selection, go to 2)

5

• Integrated user mangement users.php
• Functions add, edit, or delete a user
• Returns to users.php after any action
• Could we include ALL this in one page?
• Yes
• Should we?

6

• Integrated user mangement users.php
• Uses GET instead of POST to attach information to
  urls
• The row displayed for each user
• lttdgtlt?php echo row_rsUsers'FullName' ?gtlt/tdgt
• lttdgtlt?php echo row_rsUsers'Name' ?gtlt/tdgt
• lttdgtlt?php echo row_rsUsers'Role' ?gtlt/tdgt
• lttdgt(lta href"editUsr.php?Name
• lt?php echo row_rsUsers'Name'
  ?gt"gteditlt/agt,
• lta href"deleteUsr.php?Name
• lt?php echo row_rsUsers'Name'
  ?gt"gtdeletelt/agt)
• lt/tdgt

7
Chapter 8 Sessions

• HTTP is stateless
• Implication the server has no memory of previous
  visits
• Problem how to manage complex user interactions
• Classical example shopping cart
• CS330 example restrict accesses via role and
  name
• First look at cookies.

8
Cookies

• Persistent state client-side cookies allow a
  server to store
• client-specific information on the client machine
• Mechanism
• each client maintains a list of cookies
• a CGI program can add a Set-Cookie line to the
  returned header
• PHP has a setcookie function to do the same
• the client stores the cookie and returns it in
  HTTP_COOKIE on subsequent visits to the URL
• Format NameValue
• Typical cookies
• items requested/ordered
• dates of access
• survey information

9

• Where are they?
• in the browser Tools/Options/Privacy/Cookies
• in a file
• If you know the name _COOKIE"name"
  cookie.php
• lt?php
• session_start()
• echo '_COOKIE"Name" is ' . _COOKIE"Name" .
  'ltbr/gt'
• echo 'The cookie for PHPSESSID is '.
  _COOKIE"PHPSESSID"
• ?gt
• If you don't know the name cookies.php on next
  slide

10

• lt?php
• if (isset(_POST'name'))
• setcookie(_POST'name', _POST'value')
• echo "You have just added cookie ".
  _POST'name' . "" . _POST'value'
• if (isset(_GET'seecookies'))
• print_r(_COOKIE)
• echo 'ltbr /gt'
• ?gt
• lthtmlgtltheadgtlttitlegtCookieslt/titlegtlt/headgtltbodygt
• lth2gtCookieslt/h2gt
• ltform action cookies.php methodPOSTgt
• ltpgtName ltinput type "text" name "name"gt
• ltpgtValue ltinput type "text" name "value"gt
• ltpgtltinput type "submit" VALUE "Add the
  cookie"gt
• lt/formgt
• lthr /gt
• Click lta href"cookies.php?seecookiesyes"gtherelt/a
  gt to see the current cookies.

11

• lt?php
  Example 8-1
• // See if the HTTP request has a cookie called
  "count"
• if(!isset(_COOKIE"count"))
• count 0 // No cookie called count, set
  counter to zero
• start time() //set cookie with the "start"
  time
• setcookie("start", start, time()600, "/", "",
  0)
• _COOKIE"start" start
• else
• count _COOKIE"count" 1
• // Set cookie "count" with the current value
• setcookie("count", count, time()600, "/", "",
  0)
• ?gt
• lthtmlgtltheadgtlttitlegtCookie State
  Testlt/titlegtlt/headgtltbodygt
• ltpgtThis page comes with cookies Enjoy!
• ltbrgtcount lt?php echo count ?gt.
• ltbrgtstart lt?php echo _COOKIE"start" ?gt.
• ltpgtThis session has lasted
• lt?php duration time() - _COOKIE"start"
  echo "duration"

12
Cookies are Problematic

• Limited amount of information
• Expiration
• Users turn them off
• Users delete them
• Can be spoofed
• Most developers don't use them
• Resource www.cookiecentral.com

13
Better PHP Session Management

• Why better for persistent information?
• can be controlled by the server
• less data passed around
• Behaviour
• a session ID is generated at startup
• the session ID is passed with each request from
  client to server (often in a cookie)
• ended by timeout or explicit close

14
Session Management

• Implementation
• session_start() starts a new session or links to
  an existing one
• session ID is passed in a cookie
• session data (variables) saved in PHP/sessiondata
• session_destroy destroys the session and any
  variables
• Example
• try users.php accessed from admin.php
• try users.php accessed directly
• if I have logged on in Netscape/Firefox, I can
  open another Netscape/Firefox window to the same
  session
• once I close the browser, I am not considered
  logged on
• Big deal session variables
• stored between pages
• loaded when a session ID is passed in a cookie
  from the client (cookie.php)

15

• login.php
• //valid user
• if(mysql_num_rows(rsUsers) gt 0)
• _SESSION"UserName"row_rsUsers"FullName"
  
• _SESSION"UserAuthorization"row_rsUsers"Rol
  e"
• if (_SESSION"UserAuthorization""admin")
• LoginSuccess"admin.php"
• ...
• UserAuthorization used to restrict pages by role.
• UserName used to greet the user or for a student
  to get grades.
• Subsesquent pages (Note differences between
  AddUser and AddUsr)
• if ( !isset(_SESSION'UserName')
• _SESSION'UserAuthorization' ! 'admin')
  
• //user has not logged in as admin
• header ("Location login.php")
• exit

16
Session Variables (cont.)

• Can also be used to log user activity
• e.g. what is in a shopping basket, what pages
  visited, ...
• Syntax
• Text
• session_register("varname")
• varnamevalue
• Alternate _SESSION'varname' value
• Discrepancy with text (p. 320)
• is_registered(_SESSION'UserName') // doesn't
  work
• isset(_SESSION'UserName') //works

17
Ending a Session

• Why do we need to end sessions?
• How explicit destroy
• e.g. call logout.php from admin page.
• what happens if one goes to logout.php without
  logging in?
• logout.php
• lt?php
• session_start()
• if ( isset(_SESSION'UserName'))
• echo "Goodby " . _SESSION'UserName'
• session_destroy()
• else
• echo "You were not logged in."
• ?gt

18
Ending a Session

• Discrepancy with text Example 8-3
• if ( isset(PHPSESSID)) //doesn't run
• if ( isset(_COOKIEPHPSESSID) //does
• //is true for a while after a session has
  been destroyed
• logout2.php (not as good an approach)
• lt?php
• session_start()
• if ( isset(_COOKIE'PHPSESSID')) //stays
  true for
• echo "Goodby "
• session_destroy()
• else echo "You were not logged in."
• ?gt

19
Default Timeout (see parameters in env3.php)

• session.gc_maxlifetime max lifetime of a session
  in seconds
• session.gc_probability the probability garbage
  collection will occur when a session is
  initialized
• Garbage collection destroy every session that
  has been inactive for more than
  session.gc_maxlifetime
• Balance time required for garbage collection
  versus desirability to prevent users from
  accessing old sessions.
• This explains why isset(_COOKIE'PHPSESSID') is
  true even after a logout

20
Session Management Without Cookies (p.320)

• To deal with users that disable cookies
• PHPSESSID is embedded as a GET variable in
  links.
• Seems like a lot of work

21
Reasons to Use Sessions (p. 336)

• Performance
• stateless applications require lots of data
  passing
• calculations can be done once
• To control a sequence of interactions
• user must go through login to any other pages
• Retain intermediate results
• e.g. form data.
• Personalization
• e.g. make sure CS 10x students view only their
  pages

22
Reasons Not to Use Sessions

• Need for centralized session store
• this doesn't work if servers are load-balancing
• Performance
• overhead of loading and accessing session
  variables
• Timeouts
• uncertainty as to when a session has ended
• Bookmark restrictions
• user may want to bookmark a page in a session
• this one is silly
• Security
• there are ways for a user to hijack another
  user's session