PHP and Cookies

You have just as much access to the cookies that belong to the web page from PHP as you have from JavaScript, in fact you have access to the same cookies so that a cookie written by PHP can be read from JavaScript and vice cersa.Where PHP differs from JavaScript with respect to cookies is in how cookies are accessed.

In PHP you do not need to specifically read cookies in your code and in fact there is no provision for you to do so. Since cookies are stored on your visitor's computer the only reason PHP can read them at all is that they are all passed to the server when the request to load a new web page that has access to those cookies is made. so once your PHP starts running all of the cookies that the page has access to have already been read and are available through the $_COOKIE[] global array. The same values may also be available through the $_REQUEST[] array which also contains the variables passed using the querystring or POSTed to the page however where any duplicate names exist between any of the three only one will be returned depending on how the server is configured for processing $_REQUEST[]. Since you should know which way you are expecting values to be passed you should read from the specific array rather than using $_REQUEST.

PHP wrotes cookies using the setcookie() function. This function can take up to seven parameters only the first of which is mandatory. The parameters this function can use are as follows.

  1. name - the name of the cookie to be saved
  2. value - the value to be saved in that cookie
  3. expire - when the cookie is to expire, if not specified the cookie will be held in the browser and not saved to your visitor's computer just the same as it works in JavaScript
  4. path - the path for which the cookie is to be available where '/' indicates the entire domain and omitting it restricts the cookie to the current directory just the same as the corresponding parameter works in JavaScript
  5. domain - controls whether the cookie is also available to sub-domains the same as the corresponding parameter in JavaScript
  6. secure - if this is set to true then the cookie will only be passed if the https protocol is being used to encrypt the headers This parameter has no JavaScript equivalent since with JavaScript the cookie never leaves your visitor's computer
  7. httponly - if this is set to true then the cookie will only be available from the server and will not be accessible to JavaScript, there is no corresponding JavaScript only option.

The setcookie function returns true if the cookie has been ccreated successfully to send to the browser and false if it fails for any reason. Note that this does not test whether your visitor acctually accepts the cookie and the call can return true, send the cookie to the browser and then be discarded due to your visitor's settings with regard to session or first party cookies.

There is one further limitation in the way you need to use cookies in PHP that is different to the way that it works in JavaScript and that is with respect to when you can write cookies. While JavaScript can write cookies at any time since it is actually running in the browser that will retain or save the cookie you are more limited in PHP. PHP needs to be able to pass the cookies that have been set back to the browser before the browser is able to do anything with them and it does this by passing the cookies in the headers that precede the actual page content. Because of this all of your setcookie calls must be done prior to any of the actual page content being produced or you will get a "headers already sent" error and your cookies will not be saved.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow