Introduction

Sessions and Cookies enable web developers to store data in a way that is easily accessible from multiple pages. If data is stored using such mechanisms, users will not lose data when navigating from one page to another.

In this blog I will describe my experience and what I’ve learned while performing a task assigned by my tutor.

Cookies

Cookies are stored on the client side and usually are used to identify a user. In PHP a cookie can be created using the following syntax:

setcookie(<Cookie name>,<Cookie value>,<Expire date in seconds>);

Cookies are stored in an array ($_COOKIE), and to retrieve the value of a cookie the following syntax is used:

$_COOKIE[<Cookie name>];

Cookies can be deleted by setting an expired date. For example, the following code deletes ckname cookie.

setcookie("ckname", "", time()-3600);

The isset() function can be used to check if a cookie exists, this returns true if a cookie exists and false if not. Such function is commonly used in an if statement as follows:

If(isset($_COOKIE["ckname"]))

echo "Cookie found";

else

echo "Cookie not found";

Sessions

Session variables are stored on the server and are available to all pages. Sessions related to a user are deleted when the user leaves the web site. When a session is created a unique id (UID) is created and stored in a cookie on the client side, this will be used by the server to identify the user.

Before using sessions, the following syntax is used to start the sessions:

session_start();

The following syntax is used to store a session variable:

$_SESSION[<Session variable name>]=<Value to store>;

If the variable name does not exist, it will be automatically created. A session variable can be destroyed by using the following syntax:

unset($_SESSION[<Session variable name>]);

To destroy completely a session and all its variables, the following syntax can be used:

session_destroy();

Task Description

This blog describes my experience while performing a task assigned by my tutor. The task consists of the following stages:

Use PHP to create a login screen that accepts a user and password that are validated on the server side.
Add a “remember me” button that uses a cookie so that the user does not have to log in again.
Replace the cookie mechanism with PHP sessions

Using Cookies - Login Screen

Design

The log-in page, index.php, enables the user to key-in credentials and log-in to the system. The Remember my credentials enable the user to store a log-in cookie and log-in automatically.

The welcome page, validate.php, displays the user name and enables the user to log-out and delete the log-in cookie.

Flow

The following drawing shows the flow when the index.php page is launched.

Please note that when a ‘Remember me’ cookie exists, the user is redirected automatically to validate.php. When a user clicks the Log-in button in index.php, user name and password keyed in by the user are passed to the validate.php. The following drawing shows flow when the validate.php page is launched.

When a login cookie is found, the cookie value is read and displayed in the welcome page. If the cookie is not present, the user name and password are compared with a text file; containing user accounts. If the account is valid and the ‘Remember Me’ was selected, the log-in cookie is created.

A log me out link will be added to enable the user to log-out and delete the log-in cookie. When this link is clicked, a flag is created and validate.php is launched. As shown in the drawing above, when validate.php is loaded, it checks the flag and if exists the cookie is deleted and the user is redirected to index.php.

Development

The index.php page

In line 42, the script is checking if a parameter ErrorMessage exists. If this parameter exists in lines 43 to 45 an error image and the error text is added to the page.

In line 49, the script is checking if a cookie ckname exists; this is created when Remember my credentials is selected during a log-in. If the cookie exists, the script calls validate.php with a flag checkcookie; this flag is used to instruct validate.php to use the cookie and skip the validation.

The validate.php page

At line 21 the script is checking if a parameter resetCookie exists; this is parameter is created when a user clicks Log-out. If this parameter exists, the script calls resetCookie() function.

The resetCookie() will delete the cookie by setting the expiry date.

In line 31, the script checks if checkcookie parameter exists; this parameter is sent by index.php to use cookies and skip validation. If exists, the cookie value (user name) is stored in a global variable $LoggedinName. In line 35, some text is added to notify the user that log-in was done using cookies.

If checkcookie parameter is not found, the script within lines 37 and 58 is executed. In line 39, the script is checking the user input (username and password). If the input is empty the index.php is launched with an error parameter (Line 55). If the input is not empty, the user name and password are validated using the validateUser(<User name>,<Password>) function; will be explained later in this blog. If the credentials are invalid, the index.php is launched with an error parameter (Line 47).

In line 62, the script checks if Remember my credentials is selected; if selected, a cookie with the username is created.

Test

I will perform some tests to ensure that the system is working as expected.

ü Test the result when a username and password are not provided and the user clicks Log-in.

ü Test the result when an invalid username and password are provided.

ü Test the result when valid credentials are provided and Remember my credentials not selected

ü Test the result when Remember my credentials is selected and the user tries to access the index.php page for the second time.