PHP Cookies

PHP

PHP Cookies - Set

Cookies are a fundamental part of web development, allowing websites to store small pieces of data directly on users' browsers to personalize experiences, track sessions, and manage user preferences. In PHP, handling cookies is straightforward and powerful. This tutorial will take you through everything you need to know about PHP cookies, especially how to set, retrieve, delete, and manage them effectively.

Prerequisites

  • Basic knowledge of PHP language syntax.
  • A local or remote server with PHP support (e.g., XAMPP, WAMP, or a live web server).
  • A text editor (VS Code, Sublime Text, etc.) to write PHP scripts.
  • Basic understanding of HTTP and browser behavior.

Setup Steps

  1. Prepare your PHP environment: Ensure PHP is installed and the server is running.
  2. Create a new PHP file: For example, set_cookie.php.
  3. Make sure no output is sent before setting cookies: Because cookies are sent in HTTP headers, any output (like HTML or echo statements) before setcookie() will cause errors.

What Are Cookies in PHP?

Cookies are small pieces of data sent by the server to the browser and stored locally. PHP provides dedicated functions to set, access, and delete cookies via the setcookie() function and the $_COOKIE superglobal array.

How to Set Cookies in PHP

Use setcookie() function to set a cookie with the following syntax:

setcookie(name, value, expire, path, domain, secure, httponly);

Only the name parameter is mandatory. Most common parameters you'll use:

  • name: Name of the cookie.
  • value: Value of the cookie.
  • expire: Expiration timestamp (seconds since Unix Epoch), after which the cookie will expire.
  • path: The server path where the cookie will be available (default is the current directory).
  • secure: Whether the cookie should only be transmitted over secure HTTPS connections.
  • httponly: If true, cookie is only accessible through HTTP protocol, not JavaScript, enhancing security.

Example 1: Setting a Simple Cookie

<?php
// Set a cookie named "user" with value "John Doe" that expires in 1 hour
setcookie("user", "John Doe", time() + 3600);
?>

Make sure to place this at the top of your PHP file before any HTML output.

Example 2: Setting Cookie with Path and Secure Flags

<?php
// Set a cookie available across the entire domain, secure and HTTP only, expires in 7 days
setcookie("sessionId", "abc123xyz", time() + 604800, "/", "", true, true);
?>

Accessing Cookies in PHP

To read cookies sent by the browser, use the $_COOKIE superglobal array:

<?php
if(isset($_COOKIE["user"])) {
    echo "User cookie value: " . htmlspecialchars($_COOKIE["user"]);
} else {
    echo "User cookie not set.";
}
?>

Deleting a Cookie

To delete a cookie, set its expiration time to a past timestamp:

<?php
// Delete the "user" cookie by setting expiry time to one hour ago
setcookie("user", "", time() - 3600);
?>

Best Practices for Using PHP Cookies

  • Set cookies before any HTML output: Cookies are part of HTTP headers, so calling setcookie() after any output results in errors.
  • Use httponly and secure flags: These attributes improve security by preventing JavaScript access and restricting transport to HTTPS.
  • Store minimal, non-sensitive data: Cookies can be edited or forged by clients, so avoid storing sensitive information like passwords.
  • Use proper expiration times: Set cookies to expire according to your application’s needs β€” too long may expose stale data; too short may degrade user experience.
  • Sanitize all cookie data: Never trust cookie data blindly; always validate and sanitize before use.

Common Mistakes When Working with PHP Cookies

  • Calling setcookie() after outputting any HTML or whitespace.
  • Not setting the cookie expiration time, which makes it a session cookie that expires when the browser closes.
  • Misunderstanding that cookie changes are only available on the next page load.
  • Relying on cookies alone for authentication or security.
  • Not setting the path parameter properly, causing cookies to be inaccessible on other paths.

Interview Questions

Junior Level

  • Q1: How do you set a cookie in PHP?
    A1: Use the setcookie() function with at least the cookie name and value.
  • Q2: Where are cookies stored?
    A2: Cookies are stored on the user's browser.
  • Q3: How can you access cookie data in PHP?
    A3: Using the $_COOKIE superglobal array.
  • Q4: What parameter controls when a cookie expires?
    A4: The expire timestamp parameter in setcookie().
  • Q5: What happens if you don't specify expiry time when setting a cookie?
    A5: The cookie becomes a session cookie and expires when the browser closes.

Mid Level

  • Q1: Why must setcookie() be called before sending output?
    A1: Because cookies are sent via HTTP headers which must be sent before any HTML or echo output.
  • Q2: How do you delete a cookie in PHP?
    A2: Set the cookie's expiration time to a past timestamp using setcookie().
  • Q3: What does the httponly flag do in a cookie?
    A3: It restricts access to the cookie from client-side scripts like JavaScript for security.
  • Q4: Can you set a cookie for an entire domain in PHP?
    A4: Yes, by setting the path parameter to "/" and optionally specifying the domain parameter.
  • Q5: Why should sensitive data not be stored directly in cookies?
    A5: Cookies can be modified or viewed by users, which makes them insecure for storing sensitive information.

Senior Level

  • Q1: How would you securely manage user sessions using cookies in PHP?
    A1: Use a session ID cookie with httponly and secure flags set, combined with server-side session management to store sensitive data.
  • Q2: How does PHP handle cookie availability across different subdomains?
    A2: Use the domain parameter in setcookie() to specify the parent domain prefixed by a dot (e.g., ".example.com") to share cookies between subdomains.
  • Q3: Explain the timing considerations when updating a cookie value.
    A3: When you update a cookie using setcookie(), the new value is not immediately available in $_COOKIE during the same request β€” only on subsequent requests.
  • Q4: How can you prevent Cross-Site Scripting (XSS) attacks using cookies?
    A4: Set the httponly flag to disallow JavaScript access, and use Content Security Policies and input sanitization server-side.
  • Q5: Discuss the differences between cookies and PHP sessions with respect to data storage and security.
    A5: Cookies store data client-side and can be tampered with, while sessions store data server-side with the client holding only the session ID, making sessions more secure for sensitive data.

Frequently Asked Questions (FAQ)

Q1: Can I set cookies after sending HTML output?

No, cookies must be set before any output because they are sent in HTTP headers.

Q2: How long do cookies last?

Cookies last until their expiration time set with setcookie() or they are deleted by the user or browser. Session cookies expire when the browser closes.

Q3: Can cookie values contain special characters?

You should encode cookie values using urlencode() or base64_encode() to avoid issues with special characters.

Q4: How can cookies improve user experience?

Cookies can store user preferences, language settings, shopping cart data, and other personalized information to create a smoother experience.

Q5: Are cookies secure?

Cookies are not inherently secure since they are stored client-side. Use secure and httponly flags, and never store sensitive data directly inside cookies.

Conclusion

PHP cookies are an essential tool to manage small pieces of data between the server and the browser. Knowing how to properly set, access, update, and delete cookies allows you to build user-friendly, personalized web applications. Always follow best security practices and understand the limitations of cookies versus other storage and session techniques. With this tutorial, you should now have a comprehensive understanding of how to work with PHP cookies efficiently and safely.