Home > Articles

PHP and the Web

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book


What are cookies? When described as entities, which is how cookies are often referenced in conversation, you can be easily misled. Cookies are actually just an extension of the HTTP protocol. Specifically, there are two additional HTTP headers: Set-Cookie and Cookie. The operation of these cookies is best described by the following series of events:

  1. Client sends an HTTP request to server.

  2. Server sends an HTTP response with Set-Cookie: foo=bar to client.

  3. Client sends an HTTP request with Cookie: foo=bar to server.

  4. Server sends an HTTP response to client.

Thus, the typical scenario involves two complete HTTP transactions. In step 2, the server is asking the client to return a particular cookie in future requests. In step 3, if the user's preferences are set to allow cookies, and if the cookie is valid for this particular request, the browser requests the resource again but includes the cookie.

Hopefully this simple explanation already makes it clear why you cannot determine whether a user's preferences are set to allow cookies during the first request. When you set a cookie in your PHP code, whether by using setcookie() or header(), all you are doing is modifying the HTTP response to include a Set-Cookie header. You cannot, during the time that you are generating this response, determine how the browser will react. After all, the browser won't even receive the response (and the Set-Cookie header) until PHP has finished executing.

The Set-Cookie header, at a minimum, contains the name and value of the cookie. For example,

Set-Cookie: foo=bar

Other attributes can be included to modify when the cookie is to be sent in a subsequent request. These optional attributes are as follows:

  • domain—Restricts requests for which the cookie is sent to those that are within the specified domain or in subdomains. The default is the domain of the current resource.

  • expires—A date after which the cookie is no longer valid and should be deleted. The default is to persist the cookie in memory only, expiring it as soon as the browser ends.

  • path—Only requests for resources within the specified path include the cookie. The default is no path restrictions.

  • secure—An attribute with no value that indicates that the cookie should only be sent in requests sent over a secure connection, such as SSL.

An example of a Set-Cookie header with all optional attributes is as follows:

Set-Cookie: foo=bar; domain=example.org; expires=Mon, 26 Jul 2004 12:34:56 GMT;
 path=/; secure

The Cookie header included in subsequent requests contains only the name and value of the cookie:

Cookie: foo=bar

The attributes included in the Set-Cookie header are only used to determine whether the cookie should be included in the request at all. If included, only the name and value are given. In PHP, cookies sent in the request are made available in the $_COOKIE superglobal array (for PHP versions prior to 4.1.0, cookies are available in the $_HTTP_ COOKIE_VARS array).

  • + Share This
  • 🔖 Save To Your Account