Knowledge points for cookies in PHP

This article mainly introduces the knowledge of cookies in PHP, has a certain reference value, and now share to everyone, the need for friends can refer to

What is a cookie

Cookies, or small cookies, are some pieces of data that are stored on the user agent side (the browser is the most common user agent). When you browse a Web page, the browser sends a cookie that is valid on the current page to the server on the requested header.

Cookie composition

A cookie consists of the following parts:

The domain name that the domain,cookie belongs to. When a cookie is sent by the browser, the domain name to which the cookie belongs will be checked and the match will be sent. The browser will send the cookie under the tlanyan.me domain to the www.tlanyan.me or dev.tlanyan.me page request, but will not be sent to www.baidu.com. Similarly, dev.tlanyan.me cookies cannot be sent to tlanyan.me because the domain name is defined as the dev subdomain.

The path to which the Path,cookie belongs. Cookies that are set to/author are not sent to the/category path, but the cookie that sets the path to/is sent to all page requests.

Name, the names of the cookies (key names).

Value (contents) of the cookie.

expires, expiration time.

Secure, the cookie is transmitted only at HTTPS.

HttpOnly, whether it is used only for HTTP delivery. When set to True, the browser-side scripting language will not be able to access the cookie.

Use of cookies

Cookies are mainly used in the following areas:

HTTP is a stateless protocol, and cookies are the most common means for maintaining a session that requires additional data to be tagged. Common Phpsessid and Jsessionid are two types of cookies that are used to maintain sessions in PHP and Java Web applications, respectively.

Some data needs to be stored on the client, and a cookie is an option. After the user tick "no longer prompt again", the flag can be saved to the client, again access the program read settings and then decide whether to display. With the popularity of HTML 5, this part of the function is slowly replaced by localstorage.

Cookie operation on PHP side

The read cookie can be read to all cookies from the client via the $_cookie Super global variable. $_cookie is an array that can traverse the name and value of a cookie that is sent over a read. The browser only sends the cookie's key value to the server, so it cannot read information such as the domain/path/exipres of the cookie, because.

PHP provides the Setcookie function to send cookies to the client. The function signature for Setcookie is:

BOOL Setcookie (String $name [, String $value = "" [, int $expire = 0 [, String $path = "" [, String $domain = "" "[, BOOL $secure = False [, bool $httponly = false]]] []])

The parameter corresponds to the composition of the cookie: expires defaults to 0, which means that only the current session is valid, the cookie is cleared after the user closes the browser, and path defaults to the current page path, which is the part before the last backslash of the URL, and domain defaults to the current page. If you want to expand the scope of use, can be set to a parent domain name or a top-level domain; HttpOnly defaults to False, it is recommended to set true to avoid XSS attacks.

To delete a cookie, you only need to set the expires of the cookie to a past timestamp, such as time () –3600. So to delete foo This cookie, the code can be thought

Setcookie (' foo ', ', Time ()-3600);

Good practices for cookies

It can be seen from the literal meaning of a cookie that the data fragment is preserved. Cookies are used more frequently in web development and should be understood more often. Here are some good practices for using cookies:

You should not store large amounts of data in a cookie;
Cookies are clearly visible in the client and in the transmission and should not be stored in the cookie for sensitive information;
For site and user security, set the HttpOnly property of the cookie to true if possible;
The cookie is completely controlled by the client, also belongs to the external input, the service side cannot blindly believe, should filter it.
Other

The cookie is sent with the request and is set to the client with the response. Understanding this process, you can understand some of the common problems of beginners, such as the following code:

if (!isset ($_cookie[' foo ')) {   Setcookie (' foo ', ' Foobar ');}  $foo = $_cookie[' foo '];

In the case where Foo is not set, the 5th line runs with an error. The reason for this is that Setcookie is the cookie that sets this response and requires the browser to receive a response and set it up in order to include the cookie in subsequent requests and does not respond to this request.

Similarly, a cookie exists in the header information of the request and response, and the header should precede the request body, so the function context of Setcookie uses the same header function, that is, the response body cannot have been sent before.