Cookies and Session

Cookies

A cookie is a small piece of data sent by a server to a browser and stored on the user’s computer while the user is browsing. Cookies are produced and shared between the browser and the server using the HTTP Header.

It Allows server store and retrieves data from the client, It Stored in a file on the client side and maximum size of cookie that can be stored is limited up to 4K in any web browser. Cookies have a short time period because they have expiry date and time as soon as the browser closed.

example when you visit YouTube and search for Bollywood songs, this gets noted in your browsing history, the next time you open YouTube on your browser, the cookies read your browsing history and you will be shown Bollywood songs on your YouTube homepage

Creating cookie

The setcookie() function is used for the cookie to be sent along with the rest of the HTTP headers.

When a developer creates a cookie, with the function setcookie, he must specify at least three arguments. These arguments are setcookie (namevalueexpiration);

Cookie Attributes

  1. Name: Specifies the name of the cookie
  2. Value: Specifies the value of the cookie
  3. Secure: Specifies whether or not the cookie should only be transmitted over a secure HTTPS connection. TRUE indicates that the cookie will only be set if a secure connection exists. Default is FALSE
  4. Domain: Specifies the domain name of the cookie. To make the cookie available on all subdomains of example.com, set the domain to “example.com”. Setting it to www.example.com will make the cookie only available in the www subdomain
  5. Path: Specifies the server path of the cookie. If set to “/”, the cookie will be available within the entire domain. If set to “/php/”, the cookie will only be available within the php directory and all sub-directories of php. The default value is the current directory that the cookie is being set in
  6. HTTPOnly: If set to TRUE the cookie will be accessible only through the HTTP protocol (the cookie will not be accessible by scripting languages). This setting can help to reduce identity theft through XSS attacks. Default is FALSE
  7. Expires: Specifies when the cookie expires. The value: time ()+86400*30, will set the cookie to expire in 30 days. If this parameter is omitted or set to 0, the cookie will expire at the end of the session (when the browser closes). Default is 0

Necessity of Cookies

Cookies can be used for various purposes –

  • Identifying Unique Visitors.
  • Http is a stateless protocol; cookies permit us to track the state of the application using small files stored on the user’s computer.
  • Recording the time each user spends on a website.

Session ID

PHP code generates a unique identification in the form of hash for that specific session which is a random string of 32 hexadecimal numbers such as 5f7dok65iif989fwrmn88er47gk834 is known as PHPsessionID.

session ID or token is a unique number which is used to identify a user that has logged into a website. The session ID is stored inside the server, it is assigned to a specific user for the duration of that user’s visit (session). The session ID can be stored as a cookie, form field, or URL.

Explanation:

Now let’s have a look over this picture and see what this picture says:

In the given picture we can clearly see there are three components inside it: HTTP ClientHTTP server and Database (holding session ID).

Step1: the client sends a request to the server via POST or GET.

Step2: session Id created on the web server. Server saves session ID into the database and using set-cookie function send session ID to the client browser as a response.

Step3: a cookie with session ID stored on client browser is sent back to the server where server matches it from the database and sends a response as HTTP 200 OK.