local version of the document for lecture
Examples. You will need to fix them if you want to play
with them on the server.
- cookie.html: setting a cookie on the browser in html, see the meta element.
Load the page in a browser and then take a look at the browsers cookies.
- cookie.php: setting a cookie in php. This one comes in as part of the http header.
to see this
<![CDATA[
# simulate http://www.cs.toronto.edu/~arnold/309/chttp/cookie.php
# Note: www.cs.toronto.edu is the particular machine.
# Host: www.cs.toronto.edu is an HTTP/1.1 feature which tells the web server which particular domain
# to serve files from for this request. This allows a single machine to serve
# files for zzz.com, www.com, stuff.com etc.
telnet www.cs.toronto.edu 80
GET /~arnold/309/chttp/cookie.php HTTP/1.1
Host: www.cs.toronto.edu
----- above is client request
----- hit return a few times here!!
----- below is server responce
HTTP/1.1 200 OK
Date: Tue, 21 Jan 2014 11:37:57 GMT
Server: Apache/2.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.3-1ubuntu2.1
Set-Cookie: mySecret=this+is+a+hugh+secret
Content-Length: 1
Content-Type: text/html
]]>
or you can just load this in your browser and check the browsers cookies.
- getCookies.php: list the cookies the browser just sent the server
- login.html, protectedContentHTML.php, logout.html: try visiting protectedContentHTML.php before
visiting login.php, and after, then visit logout.html and try visiting protectedContentHTML.php.
Think about why this is not good security.
<![CDATA[
# simulate http://www.cs.toronto.edu/~arnold/309/chttp/protectedContentHTML.php
telnet www.cs.toronto.edu 80
GET /~arnold/309/chttp/protectedContentHTML.php HTTP/1.1
Host: www.cs.toronto.edu
Cookie: is_logged_in=true
----- above is client request
----- hit return a few times here!!
----- below is server responce
HTTP/1.1 200 OK
Date: Tue, 21 Jan 2014 11:38:29 GMT
Server: Apache/2.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.3-1ubuntu2.1
Content-Length: 45
Content-Type: text/html
You are logged in, so can access the content.
]]>
- session.php: starting a session in php. php sends a PHPSESSID, but the session
data resides on the server.
<![CDATA[
# simulate http://www.cs.toronto.edu/~arnold/309/chttp/session.php
telnet www.cs.toronto.edu 80
GET /~arnold/309/chttp/session.php HTTP/1.1
Host: www.cs.toronto.edu
----- above is client request
----- hit return a few times here!!
----- below is server responce
HTTP/1.1 200 OK
Date: Tue, 21 Jan 2014 11:39:27 GMT
Server: Apache/2.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.3-1ubuntu2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=s52io6qs0p94ubic2kuq49ffg7; path=/
Content-Length: 0
Content-Type: text/html
]]>
- sess: the directory where the session data are stored.
- login.php, protectedContent.php: as above, only this time using a session variable.
You can't play the same game as above. You can hijack a session though.