Cookies allow your applications to store a small amount of textual data (typically, 4-6kB) on a Web client. There are a number of possible uses for cookies, although their most common one ismaintaining session state (explained in the next section).
Cookies are typically set by the server using a response header, and subsequently made available by the client as a request header.
You should not think of cookies as a secure storage mechanism. Although you can transmit a cookie so that it is exchanged only when an HTTP transaction takes place securely (e.g.: under HTTPS), you have no control over what happens to the cookie data while it’s sitting at the client’s side—or even whether the client will accept your cookie at all (most browsers allow their users to disable cookies). Therefore, cookies should always be treated as “tainted” until proven otherwise.
To set a cookie on the client, you can use the setcookie() function:
setcookie("hide_menu", "1");
This simple function call sets a cookie called “hide_menu” to a value of 1 for the remainder of the users browser session, at which time it is automatically deleted.
Should you wish to make a cookie persist between browser sessions, you will need to provide an expiration date. Expiration dates are provided to setcookie() in the UNIX timestamp format (the number of seconds that have passed since January 1, 1970). Remember that a user or their browser settings can remove a cookie at any time—therefore, it is unwise to rely on expiration dates too much.
setcookie("hide_menu", "1", time() + 86400);
This will instruct the browser to (try to) hang on to the cookie for a day.
There are threemore arguments you can pass to setcookie(). They are, in order:
• path—allows you to specify a path (relative to your website’s root) where the cookie will be accessible; the browser will only send a cookie to pages within this path.
• domain—allows you to limit access to the cookie to pages within a specific domain or hostname; note that you cannot set this value to a domain other than the one of the page setting the cookie (e.g.: the host www.phparch.com can set a cookie for hades.phparch.com, but not for www.microsoft.com).
• secure—this requests that the browser only send this cookie as part of its request headers when communicating under HTTPS.
Accessing Cookie Data
Cookie data is usually sent to the server using a single request header. The PHP interpreter takes care of automatically separating the individual cookies from the header and places them in the $_COOKIE superglobal array:
<?php
if($_COOKIE['hide_menu'] == 1){
// hide menu
}
?>
Cookie values must be scalar; of course, you can create arrays using the same array notation that we used for $_GET and $_POST:
<?php
setcookie("test_cookie[0]", "foo");
setcookie("test_cookie[1]", "bar");
setcookie("test_cookie[2]", "bar");
?>
At the next request, $_COOKIE[’test_cookie’] will automatically contain an array. You should, however, keep in mind that the amount of storage available is severely limited—therefore, you should keep the amount of data you store in cookies to a minimum, and use sessions instead.
Remember that setting cookies is a two-stage process: first, you send the cookie to the client,
which will then send it back to you at the next request. Therefore, the $_COOKIE array will not
be populated with new information until the next request comes along.
There is no way to “delete” a cookie—primarily because you really have no control over how cookies are stored and managed on the client side. You can, however, call setcookie with an empty string, which will effectively reset the cookie:
<?php
setcookie("hide_menu", false, -3600);
?>
