PHP Freaks

Cookies

Cookies are small text files placed on the client's computer. They are transmitted via headers sent forth between the client (in this case the browser) and the web server.

When the server tells the browser to set a cookie, the header might look something like this:

Set-cookie: has_been_here=yes

This tells the browser to save a cookie with the name has_been_here and the value of that cookie should be yes.

The full syntax of that header is:

Set-Cookie: <name>=<value>[; <name>=<value>]... [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; httponly]

We will talk about the other options later. When a browser has cookies for a specific page it will send them in a header like this:

Cookie: <name>=<value> [;<name>=<value>]...

In our above example it would then be:

Cookie: has_been_here=yes

So far so good... To make this a bit easier for us, PHP has some functions that will help us in using cookies. An important function is setcookie(). This function enables us to set cookies with the options explained above for the Set-Cookie HTTP response header.

Because the setcookie() function is sending headers, it is important that you call this function before any content has been output to the browser. Headers are always at the top of an HTTP response, so once you start outputting content you will not be able to send any more headers.

Setting cookies

The first two parameters of the setcookie() function ($name and $value) are obvious. They are setting the name and the value of the cookie, respectively. The other ones might not be so obvious. $expire is for how long the cookie should last. This is expressed with a Unix timestamp. You will have to set the date and time of when the cookie should expire. You will not be able to make a cookie that lasts "forever", but you can make the cookie last a long time (several years for instance). If you want to set a cookie that lasts 30 days, then you could get the timestamp like this:

Both of those two things will get the current timestamp and add 30 days to it. You can then pass that value to the third parameter.

The fourth parameter, $path, is used to control which scripts that can access the cookie. This is relative to the document root. Say for instance you have http://example.com/forums/index.php and you want to set a cookie using that file. If you set the path to /forums, then the cookie will only be accessible to scripts within the /forums path. If you leave it blank then there is no restriction.

The fifth paramter, $domain, works much like $path does. However, this time the restriction is which domains that can access the cookie. If we say that you both have www.example.com and forums.example.com then setting $domain to forums.example.com will mean that the cookie is only accessible from the forums subdomain. You can also set it to .example.com and then all subdomains for example.com (e.g. www and forums) will be able to access it.

If you are using a free host where your domain name will be a subdomain of the host's domain (e.g. mysite.awesome-host.biz or something like that) then you might want to ensure that only your specific subdomain will be able to access your cookies so all the other users won't eat them.

$domain defaults to the hostname from which it was set. This means that example.com will not be able to get example2.com's cookies.

The two last parameters are a bit more advanced. If you set $secure to true then you are telling the browser to only send the cookie back to the server if the connection is encrypted using SSL (i.e. on a secure connection). $httponly is used to only transmit the cookie to the server, i.e. client-side scripting languages like Javascript will not be able to use them. This is a useful way of dealing with XSS.

Getting cookies

The cookies that are available will always be accessible using $_COOKIE. This variable holds an associative array of all cookies. To get the has_been_here cookie from earlier, you would access it using $_COOKIE['has_been_here']. $_COOKIE is a super-global so you will always be able to access it in PHP no matter where you are in the script.

When you set a cookie on a page it will not be immediately accessible through $_COOKIE, so don't try to use it.

An example of using cookies

Here is an example of a small script using cookies:

Try to upload the script to your web server and see what happens. Then try to refresh a couple of times and see the changes. We have now successfully added a state to a stateless protocol.

On the next page we will look at another way of doing this through the usage of sessions.