How to maintain state
in a stateless web
Shirley Cohen
scohen@tacc.utexas.edu
What is meant by state?
To maintain state means the ability to retain
values of variables and to keep track of
users who are logged into the system.
Methods for maintaining state
• Cookies
• Sessions
• Passing [hidden] variables
What is a cookie?
Cookies are simple text strings of the form
of name=value which are stored
persistently on the client’s machine.
A URL is stored with each cookie and it is
used by the browser to determine whether
it should send the cookie to the web
server.
Cookie Example
<?php
$count++;
setCookie(“count”, $count);
?>
Welcome! You’ve seen this site
<?php print($count . ($count == 1 ? “ time!” : “ times!”)); ?>
Common Pitfalls
• Can’t call setCookie() after output has
been sent to the browser
• Can’t have more than 20 cookies/server
• Cookies ONLY persist until the browser
closes UNLESS you specify an expiry
date:
set Cookie(“name”, $value, time() + 3600);
Sessions
Sessions are just like cookies, except they
store the user’s data on the web server.
Every request has a unique session id.
Sessions are said to be 30% more reliable
than cookies.
Session Example
?php
// start the session
session_start();
print "<strong>Step 2 - Register Session </strong><br />";
// Get the user's input from the form
$name = $_POST['name'];
// Register session key with the value
$_SESSION['name'] = $name;
// Display the session information:
?>
Welcome to my website <strong><? print $_SESSION['name']; ?></strong>!<br />
Let's see what happens on the <a href="page3.php">next page.</a><br /><br />
Destroying a Session
<?php
// start the session
session_start();
$_SESSION = array();
session_destroy();
print "<strong>Step 5 - Destroy This Session </strong><br />";
if($_SESSION['name'])
{
print "The session is still active";
}
else
{
echo "Ok, the session is no longer active! <br />";
}
?>
Session Tutorial Site
http://www.phpfreaks.com/tutorials/41/0.php
Passing Variables
<form method="POST" action="main.php">
<?php
$course=urldecode($HTTP_GET_VARS['course']);
$student_id=urldecode($HTTP_GET_VARS['student_id']);
?>
<input type="hidden" name=“course" value=“print $course">
<input type="hidden" name="student_id" value=“print $student_id">
</form>
EID Topic
EID module authenticates a user using a
valid EID and password which are sent to
the UT directory server using SSL. The UT
directory server returns a cookie to the
requestor and the requestor can then
retrieve the relevant information about the
user.
Web Central Users
Use an .htaccess file on the directory they want to protect:
Examples:
.htaccess file to allow access for any valid UT EID
SSLRequireSSL
AuthType Anything
AuthName Anything
EID_Required on
require valid-eid
.htaccess file to allow restricted access for a small group
SSLRequireSSL
AuthType Anything
AuthName Anything
EID_Required on
require eid UniqueID1 UniqueID2
Web Central EID Tutorial
http://www.utexas.edu/learn/restrict/index.html
Non-Web Central Users
• PHP EID Module: David Cook
(not stable at the moment)
• ColdFusion EID Module: Lisa Barden
(now stable according to Eng.)
• Request ITS authorization from:
James M Ferrero
Questions
• ???