Page 313 - Beginning PHP 5.3
P. 313
Chapter 10: Preserving State With Query Strings
As you can see, a cookie contains a number of pieces of information, summarized in the following table:
C ookie F ield D escription
name (for The name of the cookie. This is much like the name of a form field, or a key in an
example, associative array.
fontSize )
value (for The value of the cookie. This is similar to the value of a form field or a value in an
example, 3 ) associative array.
expires The time that the cookie should expire. When this point is reached, it is deleted
from the browser, and is no longer sent back to the server in requests. If this
value is set to zero, or omitted, the cookie lasts as long as the browser is running,
and is automatically deleted when the browser exits.
path The path that the browser should send the cookie back to. If specified, the
browser will only send the cookie to URLs that contain this path. For example, if
you specify a path of /admin/ , only scripts contained in the /admin/ folder (and
any subfolders) will receive the cookie. If you don ’ t specify a value, the current
directory of the script is assumed. It ’ s generally a good idea so specify a path. Use
a value of “/” if you want the cookie to be available to all URLs in your Web site.
domain By default, a browser only sends a cookie back to the exact computer that sent it.
For example, if your Web site at www.example.com sets a cookie, the cookie will
only be sent back to URLs that begin with http://www.example.com . URLs
beginning with http://example.com or http://www2.example.com won ’ t
receive the cookie. However, if you set domain to .example.com the browser
will send the cookie back to all URLs within this domain, including URLs
beginning with http://www.example.com , http://example.com , or http://
www2.example.com .
secure This field, if present, indicates that the cookie should be sent only if the browser
has made a secure (https) connection with the server. If it ’ s not present, the
browser will send the cookie to the server regardless of whether the connection is
secure. Omit this field if you ’ re working with standard (http) connections.
HttpOnly This field, if present, tells the browser that it should make the cookie data accessible
only to scripts that run on the Web server (that is, via HTTP). Attempts to
access the cookie via JavaScript within the Web page are rejected. This can help to
reduce your application ’ s vulnerability to cross - site scripting (XSS) attacks.
Although you can use the domain field to get the browser to send cookies back to other machines within
the same domain, you can ’ t use this trick to set cookies for sending to other domains. For example, if
your Web site at www.example.com tries to set a cookie with a domain value of www.google.com ,
the cookie will be rejected by the browser.
275
9/21/09 9:05:10 AM
c10.indd 275
c10.indd 275 9/21/09 9:05:10 AM
