Using Cookies in PHP
A cookie is an item of data that a web server saves to your computer’s hard disk via a web browser. It can contain almost any alphanumeric information (as long as it’s under 4 KB) and can be retrieved from your computer and returned to the server. Common uses include session tracking, maintaining data across multiple visits, holding shopping cart contents, storing login details, and more.
Because of their privacy implications, cookies can be read only from the issuing domain. In other words, if a cookie is issued by, for example, http://www.oreilly.com, it can be retrieved only by a web server using that domain. This prevents other websites from gaining access to details they are not authorized to have.
Due to the way the Internet works, multiple elements on a web page can be embedded from multiple domains, each of which can issue its own cookies. These are referred to as third-party cookies. Most commonly, they are created by advertising companies in order to track users across multiple websites.
Most browsers allow users to turn off cookies for either the current server’s domain, third-party servers, or both. Fortunately, most people who disable cookies do so only for third-party websites.
Cookies are exchanged during the transfer of headers, before the actual HTML of a web page is sent, and it is impossible to send a cookie once any HTML has been transferred. Therefore, careful planning of cookie usage is important. Figure 12-1 illustrates a typical request and response dialog between a web browser and web server passing cookies.
This exchange shows a browser receiving two pages:
The browser issues a request to retrieve the main page, index.html, at the website http://www.webserver.com. The first header specifies the file and the second header specifies the server.
When the web server at webserver.com receives this pair of headers, it returns some of its own. The second header defines the type of content to be sent (text/html) and the third one sends a cookie with the name name and the value value. Only then are the contents of the web page transferred.
Once the browser has received the cookie, it will then return it with every future request made to the issuing server until the cookie expires or is deleted. So, when the browser requests the new page /news.html, it also returns the cookie name with the value value.
Because the cookie has already been set, when the server receives the request to send /news.html, it does not have to resend the cookie, but just returns the requested page.
Setting a Cookie
Setting a cookie in PHP is a simple matter. As long as no HTML has
yet been transferred, you can call the setcookie function, which has the following
syntax (see Table 12-1):
setcookie(name, value, expire, path, domain, secure, httponly);
Parameter | Description | Example |
| The name of the cookie. This is the name that your server will use to access the cookie on subsequent browser requests. | |
| The value of the cookie, or the cookie’s contents. This can contain up to 4 KB of alphanumeric text. | |
| (Optional) The Unix
timestamp of the cookie’s expiration date. Generally, you will
use | |
| (Optional) The path of
the cookie on the server. If this is a | |
| (Optional) The Internet domain of the cookie. If this is .webserver.com, the cookie is available to all of webserver.com and its subdomains, such as www.webserver.com and images.webserver.com. If it is images.webserver.com, the cookie is available only to images.webserver.com and its subdomains, such as sub.images.webserver.com, but not, say, to www.webserver.com. | |
| (Optional) Whether the
cookie must use a secure connection
(https://). If this value is | |
| (Optional; implemented
since PHP version 5.2.0) Whether the cookie must use the HTTP
protocol. If this value is | |
So, to create a cookie with the name username and the value “Hannah” that is accessible across the entire web server on the current domain, and will be removed from the browser’s cache in seven days, use the following:
setcookie('username', 'Hannah', time() + 60 * 60 * 24 * 7, '/');Accessing a Cookie
Reading the value of a cookie is as simple as accessing the
$_COOKIE system array. For example,
if you wish to see whether the current browser has the cookie called
username already stored and, if so, to read its
value, use the following:
if (isset($_COOKIE['username']))
$username = $_COOKIE['username'];Note that you can read a cookie back only after it has been sent to a web browser. This means that when you issue a cookie, you cannot read it in again until the browser reloads the page (or another with access to the cookie) from your website and passes the cookie back to the server in the process.
Destroying a Cookie
To delete a cookie, you must issue it again and set a date in the
past. It is important for all parameters in your new setcookie call except the timestamp to be
identical to the parameters used when the cookie was first issued;
otherwise, the deletion will fail. Therefore, to delete the cookie
created earlier, you would use the following:
setcookie('username', 'Hannah', time() - 2592000, '/');As long as the time given is in the past, the cookie should be deleted. However, I have used a time of 2,592,000 seconds (one month) in the past in this example, in case the client computer’s date and time are not set correctly.