Patrick Taylor

Cookies with PHP

In essence web cookies are a form of communication between a particular browser and the server where a website is located. Their purpose is to allow the server to remember certain things that happened in that browser. What happens in one browser (eg: a login / logout) is not the same as things that happen in other browsers, even on the same computer.

A cookie is a small file (maximum size of 4KB) which the server sends to a user's browser. Each time the same browser requests a page, it will send the cookie too. It can only be read from the domain path it has been issued from. So if the browser is reading a page in "/" (domain root) a cookie with a path of "/path/" can't be read.

Someone else's browser can't access or read the cookie unless it was sent by the server to that 'someone else', for example if they requested the page which sends the cookie.

Set, delete, get value of secure or insecure cookie

// Syntax
setcookie(name, value, expire, path, domain, secure, httponly);
// Only the name parameter is required. All other parameters are optional.

// Parameters (arguments)
setcookie("string", "string", integer, "string", "string", bool, bool);
// expire integer is in seconds
// bool is 1 (TRUE) or 0 (FALSE)

// Set secure cookie (one hour)
setcookie("name", "value", time() + 3600, "/path/", "", 1, 1);

// Set insecure cookie (one hour)
setcookie("name", "value", time() + 3600, "/path/");

// Delete secure cookie (minus one hour)
setcookie("name", "value", time() - 3600, "/path/", "", 1, 1);

// Delete insecure cookie (minus one hour)
setcookie("name", "value", time() - 3600, "/path/");

// Get value of cookie
if (isset($_COOKIE['name'])) {
  $value = $_COOKIE['name'];

// Check if cookies are enabled
if (count($_COOKIE) > 0) {
  echo "Cookies are enabled.";
} else {
  echo "Cookies are disabled.";


If secure (1), the cookie will be sent only over secure connections (https) and prevents sending it across as cleartext (not encrypted).

If httponly (1), PHP will attempt to send the httponly flag when setting the session cookie. It makes it inaccessible to JavaScript and is therefore more secure by helping to prevent cross-site scripting attacks.

If the expiration time of the cookie is set to 0 (or omitted) the cookie will expire at the end of the session, i.e. when the browser closes.

When deleting a cookie, the same path, domain, and other arguments should be passed that were used to create it, to ensure that the correct cookie is deleted.

A cookie scenario: logging in and out

A website has some password-protected 'admin' pages. Cookies are used to establish a 'logged-in' state so a user does not need to login each time an admin page is viewed. A test_cookie in the root directory is used to verify cookies are enabled by the user. A logged_in_cookie in the admin directory is used to verify the password.

When the user logs out, the logged_in_cookie is still requested (because it still exists in the browser) but the server responds that the cookie has now been deleted so the next request will not include the logged_in_cookie. The user will stay logged in only as long as the server responds with the logged_in_cookie value as the correct password. It expires in 10 days, so even if the user does not log out, in 10 days a fresh login will be required.

10 days is a matter of judgement as to what is convenient for the administrator. The logged_in_cookie can be set to expire in 1 day, 10 days, or 100 days. It depends how often a fresh login is appropriate.

Cookie security

When logged in at (3) the logged_in_cookie containing password verification is sent by the browser with each request for an admin page for the admin pages to keep opening without having to keep logging in with each click. Can anyone else read or hijack it is the question, because if they can, they might be able to hack the admin pages themselves.

That's why it's important for the logged_in_cookie to be a 'secure' cookie and sent only via https:// (encrypted) and httponly (inaccessible to JavaScript). A /path/ other than root (/) and not revealing the name of the admin directory will also help. And logout after each admin session to delete the cookie.

More about cookies on MDN web docs moz:lla »

Technical »

Page last modified: 11 September, 2020