Cookies Versus Sessions?


The setcookie( ) call needs to be before the HTML form because of the way the web works. HTTP operates by sending all "header" information before it sends "body" information. In the header, it sends things like server type (e.g., "Apache"), page size (e.g., "29019 bytes"), and other important data. In the body, it sends the actual HTML you see on the screen. HTTP works in such a way that header data cannot come after body datayou must send all your header data before you send any body data at all.
Cookies come into the category of header data. When you place a cookie using setcookie( ), your web server adds a line in your header data for that cookie. If you try and send a cookie after you have started sending HTML, PHP will flag serious errors and the cookie will not get placed.
There are two ways to correct this:
  • Put your cookies at the top of your page. By sending them before you send anybody data, you avoid the problem entirely.
  • Enable output buffering in PHP. This allows you to send header information such as cookies wherever you likeeven after (or in the middle of) body data. Output buffering is covered in depth in the following chapter.
The setcookie( ) function itself takes three main parameters: the name of the cookie, the value of the cookie, and the date the cookie should expire. For example:
setcookie("Name", $_POST['Name'], time( ) + 31536000);
In the example code, setcookie( ) sets a cookie called Name to the value set in a form element called Name. It uses time( ) + 31536000 as its third parameter, which is equal to the current time in seconds plus the number of seconds in a year, so that the cookie is set to expire one year from the time it was set.
Once set, the Name cookie will be sent with every subsequent page request, and PHP will make it available in $_COOKIE. Users can clear their cookies manually, either by using a special option in their web browser or just by deleting files.

print $_COOKIE["Name"];


Sessions store temporary data about your visitors and are particularly good when you don't want that data to be accessible from outside of your server. They are an alternative to cookies if the client has disabled cookie access on her machine, because PHP can automatically rewrite URLs to pass a session ID around for you.

 Starting a Session

A session is a combination of a server-side file containing all the data you wish to store, and a client-side cookie containing a reference to the server data. The file and the client-side cookie are created using the function session_start( ) it has no parameters but informs the server that sessions are going to be used.
When you call session_start( ), PHP will check to see whether the visitor sent a session cookie. If it did, PHP will load the session data. Otherwise, PHP will create a new session file on the server, and send an ID back to the visitor to associate the visitor with the new file. Because each visitor has his own data locked away in his unique session file, you need to call session_start( ) before you try to read session variablesfailing to do so will mean that you simply will not have access to his data. Furthermore, as session_start( ) needs to send the reference cookie to the user's computer, you need to have it before the body of your web pageeven before any spaces.

 Adding Session Data

All your session data is stored in the session superglobal array, $_SESSION, which means that each session variable is one element in that array, combined with its value. Adding variables to this array is done in the same way as adding variables to any array, with the added bonus that session variables will still be there when your user browses to another page.
To set a session variable, use syntax like this:
    $_SESSION['var'] = $val;
    $_SESSION['FirstName'] = "Jim";

Older versions of PHP used the function session_register( ); however, use of this function is strongly discouraged, as it will not work properly in default installations of PHP 5. If you have scripts that use session_register( ), you should switch them over to using the $_SESSION superglobal, as it is more portable and easier to read.
Before you can add any variables to a session, you need to have already called the session_start( ) functiondon't forget!