Cookies allow your applications to store a small amount of textual data (typically,
4-6kB) on a Web client. There are a number of possible uses for cookies, although
their most common one ismaintaining session state (explained in the next section).
Cookies are typically set by the server using a response header, and subsequently
made available by the client as a request header.
You should not think of cookies as a secure storage mechanism. Although you can
transmit a cookie so that it is exchanged only when an HTTP transaction takes place
securely (e.g.: under HTTPS), you have no control over what happens to the cookie
data while it’s sitting at the client’s side—or even whether the client will accept your
cookie at all (most browsers allow their users to disable cookies). Therefore, cookies
should always be treated as “tainted” until proven otherwise.
To set a cookie on the client, you can use the setcookie() function:
setcookie("hide_menu", "1");This simple function call sets a cookie called “hide_menu” to a value of 1 for the
remainder of the users browser session, at which time it is automatically deleted.
Should you wish to make a cookie persist between browser sessions, you will need
to provide an expiration date. Expiration dates are provided to setcookie() in the
UNIX timestamp format (the number of seconds that have passed since January 1,
1970). Remember that a user or their browser settings can remove a cookie at any
time—therefore, it is unwise to rely on expiration dates too much.
setcookie("hide_menu", "1", time() + 86400);This will instruct the browser to (try to) hang on to the cookie for a day.
There are threemore arguments you can pass to setcookie(). They are, in order:
• path—allows you to specify a path (relative to your website’s root) where the
cookie will be accessible; the browser will only send a cookie to pages within
• domain—allows you to limit access to the cookie to pages within a specific domain
or hostname; note that you cannot set this value to a domain other than
the one of the page setting the cookie (e.g.: the host www.phparch.com can set a
cookie for hades.phparch.com, but not for www.microsoft.com).
• secure—this requests that the browser only send this cookie as part of its request
headers when communicating under HTTPS.