Web Hosting PHP - PHP4, PHP5 Programming Blog

yourdomain.com, and anything.mydomain.com. This match is most likely not what we want, and this seeming error is fixable by adding a period in front of the domain. Tail matches are useful if we have multiple servers and want both http://www1.yourserver.com and http://www2.yourserver.com to have access to the cookie: setcookie(”my_cookie”, $value, time() + 3600, “/user/”, “.domain.com”); This usage of the function will allow files stored at anything.domain.com/user/ and all subdirectories and pages under that to access the cookie variable named $cookie. At times it may be necessary to enable a cookie that contains secure or sensitive information to respond only to secure requests. Secure HTTP requests make it much more difficult for a third party to tap into information being sent between the client and the server. In this case there is a need to disallow the cookie being sent in plain text. To ensure a secure connection, pass a sixth parameter to the setcookie() function. That is, put a 1after the domain scope: setcookie(”my_cookie”, $value, time() + 3600, “”, “https.server.com”, 1); Because all the parameters in the setcookie() function are optional, (other than the cookie name), it is possible to set only a few of the parameters. We can set the value to an empty string for value, path, and domain as those are all string parameters, and 0 for lifetime and secure which are integer values. In this example we’ll set a value, path, and domain scope for the cookie: setcookie(”my_cookie”, “value”, 0, “/user/index.php”, “.sitetronics.com”); Note that there is no 0 for secure. Since it’s an optional argument, the above code and: setcookie(”my_cookie”, “value”, 0, “/user/index.php”, “.sitetronics.com”, 0) gives the same result. Deleting a Cookie To delete a cookie, call the setcookie()function and pass the name of the cookie that is to be removed: setcookie(”my_cookie”); Deleting cookies like this will not affect any other cookies that are set already. This method doesn’t change $HTTP_COOKIE_VARSeither. The following code will also delete the cookie: setcookie(”cookie”, , 0, “/user/index.php”, “.sitetronics.com”); Deleting cookies can also be done by setting the lifetime of the cookie to the current time minus 24 hours: setcookie(”my_cookie”, $value, time() - 86400); Amalgamating Cookie Data PHP allows the use of arrays to make multiple values accessible through one cookie name. That is, this method sets individual cookies named cookie[0], cookie[1], cookie[2], and so on. The form of Page 229

Hint: If you are looking for very good and affordable webspace to host and run your tomcat hosting application check Virtualwebstudio tomcat web hosting provider

The scope of the cookie must be set: . To prevent users in other subdirectories from accessing the cookie variables The default path for accessing a cookie is the root path. This allows the cookie to be accessible to any directory under the root. But this can create a security breach, if there are users hosted in the subsequent directories, and the cookie contains sensitive data. For example, if we limit the scope to /user, PHP will match /user.php, /user/index.php , and /user1/index.html. We can use the following code to limit the cookie to pages in the user directory: setcookie(”my_cookie”, $value, time() + 3600, “/user/”); It is possible that we don’t want other pages in the directory to be able to access our cookie. In that case, we can limit the directory scope to a specific page by using the setcookie() function as follows: setcookie(”my_cookie”, $value, time() + 3600, “/user/page.php”); This method of setting the scope to a page isn’t completely secure. A page with the name /user/page.php-dir/evil.php is still able to access the cookie information. Adding encryption to the cookies is possible using the mcrypt_encrypt() and mcrypt_decrypt() functions. For example: And to decrypt the cipher in the login.php script: . To limit the domain or server scope Server, or domain, scope must be limited. Certain matching rules also apply for this scope so let’s take a look at those. The domain scope will appear valid if there is a tail match. A tail match returns true if the end of the viewed domain matches the domain set in the cookie path. For instance, if the domain scope is set to domain.com, it will match domain.com, Page 228
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra servlet hosting services

echo(” times!”); } ?> The following output comes from the above error-prone code: This error does not show up if we have error messages turned off. It is recommend that error messages are turned on, otherwise, this error would be virtually impossible to catch in a large script. Setting Cookie Expiry Information Many sites rely on setting a virtually unreachable cookie expiration date to welcome users to their web sites. As cookies are set by default for the entirety of the browser session, we need to give the cookie a longer lifetime. This is useful, for example, if there is a member area in which users could be remembered without needing to provide login information every time they log in. The time of expiration is set relative to the number of seconds that have elapsed since the first epoch. Thus the expiration time should be set relative to the epoch, and to the number of seconds elapsed since then. PHP provides several time and date oriented functions to set timestamps relative to the epoch: int time() This function gets the current system time and returns it: int mktime([int hour] [, int minute] [, int second] [, int month] [, int day] [, int year] [, int is_dst]); This function converts human-readable dates/times into times relative to the epoch. The syntax: The is_dstpart of the mktime()function refers to whether or not the date falls within Daylight Saving Time. By default, this value is defaulted to 1, which means that the property is unspecified. Other values for the is_dst property are 1 if the timestamp is within the Daylight Saving Time, or 0 if the time isn’t within that area. Let’s look at an example that makes cookies with set expiration dates: Setting Scope Page 227
Note: If you are looking for inexpensive but high quality provider to host and run your jsp application check Astra jsp hosting services

int setcookie(string cookiename [, string value] [, integer lifetime] [, string path] [, string domain] [, integer secure]) . cookiename The name of the cookie to set, the value of which will be accessible in all pages under the specified scope; in PHP scripts specifically as $cookiename. . value The value stored in the cookie named cookiename, referenced in PHP with the variable name $cookiename. . lifetime The time in seconds since the epoch (the 1st of January 1970) at which this cookie will be no longer valid. . path The root path at which the cookie is accessible. This path is recursive and any subdirectories are also able access the cookie, unless set specifically to a filename. Note that, even if the path is set to /path/to/filename.php, someone could create a script at /path/to/filename.php-directory/evil-script.php and access the cookie information. . domain The domain from which the cookie is accessible. . secure This directive sets whether or not the cookie is accessible outside of HTTPS requests. This value is defaulted to 0, meaning that regular HTTP requests can access the cookie data. If we omit setting a value for the cookie, it will be deleted. The first variable we provide to the function is the name of the cookie; the second variable is the value assigned to that name, thus giving the name=value pair that we expect from the cookie. The setcookie() function is fragile, in that the cookie must be set before any headers are sent to the browser, and in this respect it is similar to PHPs header() function, which will fail if any headers have already been sent. This failure results from the fact that cookies are set as headers. Let’s understand this further, by modifying the above code for a user access counter: Putting text here will force a header of Content-type: text/html to be sent, causing the cookie to result in error. Thank you for visiting my site. You’ve seen this page Note: If you are looking for top 10 and very good webhost to host and run your jsp application check Actions jsp hosting services

Parameter Default Path The directory in which the cookie is set (for example, /user_section/) defaults to the directory containing the page in which the cookie was set Domain The domain of the server setting the cookie Secure Disabled by default Sample Application to Use Cookies We’ll now go over the use of cookies by making a simple script that counts the number of times a visitor has accessed a page. We will use a cookie called accesses and this cookie will hold the data corresponding to the number of accesses a user has had to a page. Since PHP automatically gives us cookie variables, there will be a $accesses variable set. Remember that the variable name is set to the name of the cookie: Thank you for visiting my site. You’ve seen this page The above code produces the following output: Note that the counter gets set to 1 even though the user hasn’t visited the page before. Also notice that the $accesses variable isn’t set by default anywhere. Since the user didn’t send a variable $accesses to us, PHP will automatically interpret its blank value to 0, thus allowing us to increment it. Also, here we use the setcookie() function to send a request to the user’s browser to set a cookie. This function sets a new cookie on the browser, accesses, if there is no cookie named accesses already set. If a cookie called accesses already exists, the browser will automatically update it. setcookie() Page 225
Note: If you are looking for cheap and reliable provider to host and run your servlet application check Vision servlet hosting services

There are certain restrictions in the use of cookies, as described in the previous section. The web server can specify the following additional information specific to the cookie: . Expiration information (example. 05/10/2005, 18:59:00 Greenwich Mean Time, or GMT) . Path information (example: /user_section) . Domain information (example: yourserver.com) . Secure parameter (used in HTTPS requests) Expiration Information Expiration information on a cookie is used to check whether or not the cookie is still valid. If a cookie has expired, it will not be sent to the server again. If there is no expiration information provided, the cookie will be deleted when the browser is closed. Path Information The path directive of the cookie is used to tell the client where on the domain the cookie may be used. Any URL with a prefix matching the path set in the cookie’s scope will be able to access the data stored in the cookie. Minor discrepancies in how the cookie is set can make a big difference in how the client and server interpret the cookie. If the cookie were set with the path /user_section/, the URL http://www.sitetronics.com/user_section/macdonald would be able to access data stored in the cookie. However, if the cookie was defined as /user_section, no subdirectories would be able to access the data stored in the cookie. We wouldn’t want this information to be accessed, for example, if we are hosting multiple user sites in the /user_section directory. If we set the cookie’s path to /, anyone can write a script to access it, without even knowing the name of the cookie, since they are stored in an associative array. An alternative to limiting the scope to a directory is to limit the scope to a single page, thus rendering it useless anywhere else. This is done simply by setting the directory scope to, for example, /user_section/cookie.php. Alternatively, we can use encryption to secure our cookies. Domain Scope The domain scope limits the domains that can access the information stored in the cookie. Cookies can be limited to a single hostname by setting the domain information to http://www.sitetronics.com/. Alternatively, they can be given to an entire domain by setting the domain information to something such as sitetronics.com. This case would allow the cookie to be shared across multiple servers. There are some instances where it is best to allow multiple hosts under a domain to access our cookies: . Setting up the server such that anything.yourdomain.com points to http://www.yourdomain.com . We have a large site (or are hosted by a large site on which our URL is redirected at times) that has multiple servers using hostnames such as http://www.yourdomain.com, http://www1.yourdomain.com, and so on. When the secure parameter is set, the cookie can be sent only over secure channels. This means that the cookie will not be sent through a standard HTTP connection; only an HTTPS server request will allow access. The browser checks to see if the cookie is being sent over a secure transmission layer; and if not, then it does not send it. Securing cookies in this manner is especially useful. For example, in case of a shopping cart application, setting a secure parameter virtually guarantees that a third party snoop cannot access the client’s cookie data. All of these parameters are optional and have the following defaults: Parameter Default Expiration The cookie is alive until the browser closes Page 224
Note: If you are looking for cheap and inexpensive provider to host and run your tomcat application check Actions tomcat hosting services

Cookies Cookies are a huge hype these days, both for programmers and users. For programmers, they allow easy and reliable storage for variables needed on multiple pages. Users benefit by saving information about themselves e-mail addresses or usernames, which wouldn’t need to be typed in later by the user. For programmers, cookies can be a useful tool to reward visitors of a site, track what trends they follow, and even to recommend frequently bought products of interest to them. Cookies were originally designed to allow programmers to store variables between visits to a site and through pages in a visit. This need for “permanent variables” allowed the development of applications that need to store membership information or user ID for later use. Simply put, cookies are client-side text strings that contain name=value pairs, and have an associated URL. The browser uses this URL to determine whether or not to send the cookie to the server through a header. However, browsers have taken certain measures to prevent abuse of cookies, notably users turn support off. Browsers allow no more than 300 cookies, only 20 of which can originate from the same server, essentially to prevent cookies from taking too much space on the hard drive. Security Issues Cookies began to be a problem when people found out about their existence. Users did not like the idea of having information stored on their computer without their consent, and cookies provided a great way to do this. There were myriad misconceptions that cookies were potential security threats that would send fake e-mails from you, format your hard drive, and so on. In fact, cookies cannot retrieve anything about a user’s system, barring innocuous IP and login records. Additionally, cookies have their own security medium that the browsers are able to use. Cookies are limited to a certain scope or address range, in which they can be used. The programmer defines this scope. The browser then reads this scope and determines if it should allow a certain server access to the cookie. This attribute is necessary to prevent separate servers from determining the name of our cookies, and accessing the cookies from their site. Cookies usually do contain information on individuals or their browsing habits and do pose some issues. Thus, privacy is an issue and should be kept at heart by the programmer. Using Cookies PHP provides handy built in functions for dealing with cookies. Cookies set on a server are automatically read by PHP. Hence, a cookie with the name stereo and containing the string System would cause PHP scripts on the server responsible for setting the cookie to set the variable $stereo to System. Keep in mind that cookie variable names, like any other variables, are case-sensitive. The value stored in a cookie can be accessed in a few different ways: . $login this value is retrieved by PHP from the global variable with the same name. . $HTTP_COOKIE_VARS[”login”] the global array of cookies is an array filled only with cookie data. You may find this array particularly useful if you are interested in differentiating between cookie variables received from GET and POST methods (which can be retrieved by $HTTP_GET_VARS and $HTTP_POST _VARS, respectively). Sending cookies and the respective cookie variables is limited to choices made by the user. The cookie is stored only if the client actually accepts it and allows it to be sent back to the server. The browser usually automates this process of sending cookies. However, some browser security settings allow users to require their permission to set cookies, or even to disallow them completely. Page 223
Note: If you are looking for good and quality webspace to host and run your java application check Actions java hosting services

ant Page 222
Note: If you are looking for cheap and reliable provider to host and run your servlet application check Vision servlet hosting services

URLs When writing sessions, keep in mind the security issues involved. For instance, a user at a public terminal may look over the shoulder of another and grab the session string; thus taking over the other user’s session and possibly compromising information such as credit card numbers, addresses, phone numbers, or other sensitive subjects. Additionally, propagating a SID in the URL that is impossible to copy without the user being away for a long time, makes the URL look quite ugly and can cause confusion among computer-illiterate users. Thus, it is not always in our best interests to propagate sessions through the URL. Now, all browsers have some method of cookie support and accept or at least prompt for cookies. When considering those browsers that are generally not HTML 4.0 or JavaScript compatible, usually, explaining to the users that cookies are a necessity for their site, and that their security is a top concern, will get cookies turned on. Security Issues If we are unable to use cookies with our site and must propagate sessions through the URL, there are a few ways to add security to the site, thus preventing session takeovers. For instance, the following code snippet will register the user’s IP address if they’ve just logged in. If a different IP is detected, the session will disallow the new IP: if (!$session_is_registered(”$ipAddr”)) { $ipAddr = $REMOTE_ADDR; session_register(”ipAddr”); } if ($ipAddr != $REMOTE_ADDR) { echo(”Hijacked Session!”); } Unfortunately, computers behind a firewall and computers running behind a proxy server do not have unique IP addresses, and all would appear with the same address as the computer that is actually connected to the outside. There is no easy way around this. Some proxy servers send an HTTP header called X_FORWARDED_FOR , which will contain the end-user address. The following snippet will get the right address for any user and computer behind a proxy: if (getenv('’HTTP_X_FORWARDED_FOR'’)) { $ipAddr = getenv(HTTP_X_FORWARDED_FOR); } else { $ipAddr = $REMOTE_ADDR; } session_register(”ipAddr”); This will still pose a problem for proxy servers that don’t send this header and for computers behind a firewall. Thus, it becomes necessary to propagate the session in cookies. Import When redirecting a user to a separate page, on a Page 221
Note: If you are looking for high quality webhost to host and run your jsp application check Vision jsp hosting services

There are two ways to propagate sessions: . Through URLs . Through cookies Page 220
Note: If you are looking for inexpensive but high quality provider to host and run your jsp application check Astra jsp hosting services