Learning cookie Knowledge Points in PHP

What is cookie

cookie, or cookies, are pieces of data stored on the user agent side (browsers are the most common user agents). When browsing a web page, the browser will put the valid cookie of the current page at the head of the request and send it to the server.

cookie composition

cookie consists of the following parts:

The domain name to which domain and cookie belong. When the browser sends cookie, it will check the domain name to which cookie belongs, and it will be sent if it matches. The browser sends cookie under the tlanyan. me domain to the page request of www. tlanyan. me or dev. tlanyan. me, but not to www. baidu. com. Similarly, cookie of dev. tlanyan. me cannot be sent to tlanyan. me because the domain name is qualified to the dev subdomain.

Path to which path and cookie belong. cookie set to/author is not sent to the/category path, but cookie set to/cookie is sent to all page requests.

The name (key name) of name, cookie.

The value (content) of value, cookie.

expires, expiration time.

secure, whether the cookie will be transmitted only when https.

httponly, whether it is only used for http transmission. When set to true, the browser-side scripting language will not be able to access the cookie.

Use of cookie

cookie is mainly used in the following areas:

http is a stateless protocol, and cookie is the most commonly used means to maintain the session and require additional data to be tagged. PHPSESSID and JSESSIONID, two common types of cookie, are used to maintain sessions in PHP and Java web applications, respectively.

Some data needs to be stored on the client, and cookie is an option. After the user ticks "No Prompt next Time", the flag can be saved to the client, and the program can be accessed again to read the settings before deciding whether to display it or not. With the popularity of HTML 5, this part of functions is slowly being replaced by localStorage.

cookie Operation on PHP End

Read cookie All cookie passed to the client can be read through the $_ COOKIE hyper-global variable. $_ COOKIE is an array that iterates through the names and values of the cookie sent. The browser only sends the key value of cookie to the server, so it cannot read the information such as domain/path/exipres of cookie, because.

The PHP provides the setcookie function to send the cookie to the client. The function signature of setcookie is:

bool setcookie ( string $name [, string $value = "" [, int $expire = 0 [, string $path = "" [, string $domain = "" [, bool $secure = false [, bool $httponly = false ]]]]]] )

The parameter corresponds to the composition of cookie: expires defaults to 0, which means that only the current session is valid, and the cookie will be cleared after the user closes the browser; path defaults to the current page path, that is, the part before the last 1 backslash of the URL; domain defaults to the domain name of the current page. If you want to expand the scope of use, you can set it as the parent domain name or the top-level domain name; httponly defaults to false and is recommended to be set to true to avoid XSS attacks.

To delete cookie, you only need to set expires of cookie as the past timestamp, such as time () 3600. So to delete foo, the cookie, the code can be

setcookie('foo', '', time() - 3600);

Good Practices for cookie

As can be seen from the literal meaning of cookie, it is a data fragment that is saved. cookie is used frequently in the development of web, which should be understood more. Here are some good practices for using cookie:

Excessive and excessive data should not be saved in cookie;
cookie is plaintext visible on the client and in the transport, and sensitive information should not be stored in cookie;
For site and user security, set the httponly property of cookie to true whenever possible;
cookie is completely controlled by the client and belongs to external input, so the server should not blindly believe it and filter it.
Others

cookie is sent with the request and set to the client with the response. After understanding this process, you can understand some common problems for beginners, such as the following code:

if (!isset($_COOKIE['foo']) {
   setcookie('foo', 'foobar');
 } 
 $foo = $_COOKIE['foo'];

Without foo, the cookie, Line 5 runs with an error. The reason is that setcookie is the cookie information for setting this response, and the browser needs to receive the response and set it before attaching the cookie to the subsequent request, which does not reflect this request.

Similarly, cookie exists in the header information of the request and response, and the header should precede the request body, so the function context usage restriction of setcookie is the same as that of header function, that is, the response body cannot be sent before this.