Cookies
Derek Bridge
Department of Computer Science,
University College Cork
Cookies
Aims:
- to know what people mean when they say that HTTP is a stateless protocol, and why this is
a problem for many webapps
- to know some of the solutions to this problem and their weaknesses
- to understand how cookies work in detail and how to use them in PHP
- to know some of the issues with cookies
State management
- HTTP was designed for hyperlinked documents
- a client contacts a server and requests a document
- the server sends the requested document to the client
- HTTP is a stateless protocol
- each request is independent: by default, the server
has no memory of previous requests
- This approach is adequate for hyperlinked documents but often inadequate
for webapps where it can be useful to recognise repeat contacts, e.g.:
- a client which has contacted the server in the past
- a sequence of requests from the same client within a short period of
time (a session)
Ways to achieve state management
- There are many ways to detect that two requests come from the same client:
- IP addresses
- Keep track of the clients' IP addresses (in PHP:
$_SERVER['REMOTE_ADDR']
)
- Class exercise: There are many reasons why this may fail to
correctly identify your users. What are they?
- URL rewriting to include a user identifier in the query part of a URL
- Hidden fields in forms to pass around a user identifier
- Cookies
Cookies for state management
- A cookie is a small amount of data (a name/value pair)
- E.g. id=cust123
- A single domain cannot set more than 20 cookies
- Eack cookie can be no more than 4Kb in size
- According to the spec, no more than 300 cookies in total
- A header line in the server's response can contain a cookie
- If cookies are enabled, the browser stores the cookie
- Next time the browser sends a request to that path/ domain, it includes the cookie
in a header line
- This enables the server to know about your previous visit(s)
Cookies example
- The browser sends a request to
www.amazon.co.uk
:
GET /index.html HTTP/1.1
...
- The server stores information about your visit
- Its response requests the browser to store a cookie:
HTTP/1.1 200 OK
Set-Cookie: id=cust123; path=/; domain=.amazon.co.uk
...
- Assuming cookies are enabled, the browser stores the cookie
- Subsequently, you visit
www.amazon.co.uk
again.
- The browser includes the cookie in the request:
GET /index.html HTTP/1.1
Cookie: id=cust123
...
- The server can make use of what it stored about your previous visit
Persistent cookies and in-memory cookies
- Persistent cookies:
- the server includes an expiry date in the cookie:
HTTP/1.1 200 OK
Set-Cookie: id=cust123; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.amazon.co.uk
...
- the browser stores the cookie on the client's hard disk until
they expire
- useful for identifying clients which have contacted the server in the past
- In-memory cookies:
- the server does not include an expiry date:
HTTP/1.1 200 OK
Set-Cookie: id=cust123; path=/; domain=.amazon.co.uk
...
- the browser stores the cookie in main memory but deletes it when
the browser is shut down
- useful for sessions
Cookies in PHP: sending them
- Use the
setcookie
function
- Only the first parameter is mandatory:
- name of the cookie
- value of the cookie
- the date and time at which it expires
- the top-level directory of the domain from which the cookie can be accessed
(default is current directory)
- the domain for which the cookie is valid (default is server hostname)
- a Boolean indicating whether the cookie should only be transmitted over
secure HTTP connections (default false)
- E.g.
setcookie('numvisits', $counter, time()+86400*365*5);
(time()
returns the current time as seconds since 1 Jan 1970 GMT)
Cookies in PHP: sending them
- A cookie is sent as an HTTP request header line
- In a dynamically generated web page, you must use
setcookie()
before any of the (X)HTML is generated*
- E.g this is no good
echo '<?xml version="1.0" encoding="UTF-8"?>';
setcookie('numvisits', $counter, time()+86400*365*5);
(*unless PHP's output buffering is enabled, which it is not in our intallation)
Cookies in PHP: accessing them
- You can access cookies using an associative array:
$_COOKIE
- It works just like the
$_GET
and $_POST
arrays
- You can test whether the cookie has been set using
isset
- Class exercise Why might it not be set? (Several reasons)
counter.php
: simple example
Counting the number of times a page has been accessed by a client
<?php
if (! isset($_COOKIE['numvisits']))
{
$counter = 1;
}
else
{
$counter = $_COOKIE['numvisits'] + 1;
}
setcookie("numvisits", $counter, time()+86400*365*5);
?>
...
<php
echo "Welcome! (Visit number: {$counter})
";
?>
Some of the issues with cookies
- Class exercise: How accurate are cookies at identifying the user?
- Violations of privacy
- They can be used to track the pages you visit within a site
- Do you want the owners of the site to know this?
- Should they be allowed to sell on this information?
- Third-party cookies
- Suppose you request a web page that contains an image (e.g. an ad) that's stored on another site
- Then your browser will request that image from that site
- That site will probably set a cookie: a third-party cookie
- Advertising companies such as doubleclick.com do this all the time
- Effectively, they are tracking your visits across all sorts of sites, wherever
they place their ads
- Is this an even bigger violation of your privacy?
- Cookie theft (a.k.a session hijacking)
- Network traffic can be intercepted
- Passwords and credit card details are usually sent using SSL (hence, encrypted)
- Cookies generally aren't!
- Either use HTTPS (HTTP+SSL) or never send sensitive information in a cookie