1. What are cookies
Cookies are text lines which are stored on the client (the browser) and are
send to a webserver at each request. These lines look like assignments as in
UserID=10. In this example we say we have a cookie called UserID
with the (string) value 10. Additionaly each cookie have a lifetime which
defines how long the cookie should be stored on the browser. If there is no such a lifetime
the browser delete them on shutdown.
Each browser have settings about how long and which cookies are saved or not. It cannot be changed with php. If a php script sends a cookie to the client you don't know if the cookie is actually saved on the browser or just discarded. You know it only at the next request from the client.
2. Create a cookie
You create a cookie with the function setcookie. This function alter the headers, this means you can only send cookies if you haven't any output yet like echo or html code. The first parameters is the name of the cookie, the second parameters is the value.
<?php
setcookie("UserID", "10");
?>
Such a cookie is saved in the browser as long as it is running. If you close the browser the cookie is deleted. If the coookie should be stored longer you must supply a timestamp when the cookie should be deleted.
<?php
setcookie("UserID", "10", time()+60*60*24); // 1 day
setcookie("Foo", "Bar", time()+60); // 1 minute
?>
3. Read out a cookie
All cookies which are send by the browser are stored in a superglobal
array $_COOKIE. The index is the name of the cookie and the
value is the value of the cookie. If you have a cookie line UserID=5
a cookie $_COOKIE['UserID'] = '5'; is created. The values are string
or arrays like all external values.
<?php
// if you have a cookie "Foo=Bar"
var_dump($_COOKIE['Foo']); // outputs string(3) "Bar"
// if you have the following cookies:
// "Bla[]=10"
// "Bla[]=x"
var_dump($_COOKIE['Bla']);
// output is:
// array(2) {
// [0] =>
// string(2) "10"
// [1] =>
// string(1) "x"
// }
?>
Cookies are only stored in $_COOKIE if the browser send
them. This means the cookie isn't stored in the array after you called
the setcookie function.
<?php
setcookie("Name", "Value");
echo $_COOKIE['Name']; // doesn't work (unless there is already such a cookie)
?>
A setcookie call sends the request to save a cookie to the client, so
the $_COOKIE array isn't filled yet. This is only possible if the
browser can do a time travel back and send the request with the cookie.
To check if a cookie is send use the isset function. After this check you can read the cookie without getting an error message.
4. Delete a cookie
There is no function to delete a cookie, but you can use setcookie to delete one. To delete a cookie you should set the lifetime value to a time in the past. To be sure you should set the value of the cookie to an invalid value like an empty string.
<?php
setcookie("Name", "", time()-60*60*24);
?>
5. Security for external values
As the cookies are stored at the client you shouldn't trust the values you get.
A cookie login=1 shouldn't be enought to get logged in into your
system. Additional you should check if the values are in a form which are
expected like numbers are really numbers to prevent any injections like
SQL injections.
