Developer

Cookies in PHP

Learn how to create, modify, and delete cookies using PHP.

By David Sklar and Adam Trachtenberg

Setting and reading cookies in PHP is a piece of—dare we say it?—cake. We don't want to get into all the propaganda about cookies, but they're important and useful. Sometimes they're the right tool for the job.

To create and modify a cookie, use the PHP function setcookie(). setcookie() takes up to six arguments, depending upon how much control you want over the cookie and who can read its value.

The simplest way of setting a cookie is like this:

setcookie('name', 'bret');

Then, for every further page on your site viewed by this browser (without the user quitting) you'll have the value of 'bret' stored in the variable $name for easy access in PHP. This type of cookie is known as a session cookie, since it lasts for the length of a user's session.

If you want the cookie to persist after the person exits his or her browser, you must pass setcookie() through a third parameter, the date you want the cookie to expire. Since PHP's background springs fully formed from the head of Unix, you represent this time as the number of seconds since January 1, 1970. If you're a Unix programmer, this makes complete sense. But, if you're from a Windows or a Macintosh background, you're just shaking your head wondering if you'll ever understand those wacky Unix folk.

Do not fear. PHP has a very nice function, mktime(). You pass mktime() (in this order) the hour, minute, second, month, day, and year that you want to represent, and mktime() returns to you the number of seconds since January 1, 1970. So, if you want to simulate a Y2K meltdown:

<?php
$y2k = mktime(0,0,0,1,1,2000);
setcookie('name', 'bret', $y2k);
?>

Now your cookie will end with the millennium.

If you want to update a cookie to store a newer value, you can simply overwrite its value. So, even if you've already sent the cookie above on an earlier page, it's perfectly legal to go ahead and change your name to "jeff."

<?php
$y2k = mktime(0,0,0,1,1,2000);
setcookie('name', 'jeff', $y2k);
?>

Note that doing this doesn't alter the value of the variable $name. It's set when the page is loaded. If you want to make sure these two are always in sync, you can code like this:

<?php
$name = 'jeff';
$y2k = mktime(0,0,0,1,1,2000);
setcookie('name', $name, $y2k);
?>

The next two parameters for setcookie() let you control the path and the domain of who can read your cookie. By default, only pages equal to or lower down in the hierarchy on the same server that sends the cookie can read its value. That's for security's sake. However, if you had an account that's sometimes "www.domain.com" but also "other.domain.com," and your account lets you serve pages from ~/myhome, you should modify setcookie() as such:

<?php
setcookie('name', 'jeff', $y2k, '~/myhome', '.domain.com');
?>

The last parameter to setcookie(), which we've never used, instructs that the cookie be sent only to a Web server that's running a secure connection such as SSL. For this to occur, set the sixth value to 1.

Deleting a cookie is simple, simply pass setcookie() the name of your cookie and PHP will arrange for it to be deleted.

<?php setcookie('name'); ?>

There's one last important item to mention about using cookies. Because of the way cookies work within HTTP, it's important that you send all cookies before you print any text. If you don't, PHP will give you a warning and your cookies will not be sent. So, this is OK:

<?php
setcookie('name', 'jeff');
echo "Hello Everyone!";
?>

But this is not:

<?php
echo "Hello Everyone!";
setcookie('name', 'jeff');
?>
David Sklar is the CTO of Student.Net Publishing.

Adam Trachtenberg is the Vice President for Production of Student.Net Publishing.

Editor's Picks