Quakenet/#php Tutorial

Note: If you opened this page from an external URL pay attention that all chapters are linked together. Be sure you also read all prior chapters of this tutorial, otherwise you will miss relevant content explained before.

Cookies

  1. What are cookies
  2. Create a cookie
  3. Read out a cookie
  4. Delete a cookie
  5. Security for external values

1. What are cookies

Cookies are text lines which are stored on the client (the browser) and are send to a webserver at each request. These lines look like assignments as in UserID=10. In this example we say we have a cookie called UserID with the (string) value 10. Additionaly each cookie have a lifetime which defines how long the cookie should be stored on the browser. If there is no such a lifetime the browser delete them on shutdown.

Each browser have settings about how long and which cookies are saved or not. It cannot be changed with php. If a php script sends a cookie to the client you don't know if the cookie is actually saved on the browser or just discarded. You know it only at the next request from the client.

2. Create a cookie

You create a cookie with the function setcookie. This function alter the headers, this means you can only send cookies if you haven't any output yet like echo or html code. The first parameters is the name of the cookie, the second parameters is the value.

<?php
setcookie
("UserID""10");
?>

Such a cookie is saved in the browser as long as it is running. If you close the browser the cookie is deleted. If the coookie should be stored longer you must supply a timestamp when the cookie should be deleted.

<?php
setcookie
("UserID""10"time()+60*60*24); // 1 day
setcookie("Foo""Bar"time()+60); // 1 minute
?>

3. Read out a cookie

All cookies which are send by the browser are stored in a superglobal array $_COOKIE. The index is the name of the cookie and the value is the value of the cookie. If you have a cookie line UserID=5 a cookie $_COOKIE['UserID'] = '5'; is created. The values are string or arrays like all external values.

<?php
// if you have a cookie "Foo=Bar"
var_dump($_COOKIE['Foo']); // outputs string(3) "Bar"

// if you have the following cookies:
// "Bla[]=10"
// "Bla[]=x"
var_dump($_COOKIE['Bla']);
// output is:
// array(2) {
//   [0] =>
//   string(2) "10"
//   [1] =>
//   string(1) "x"
// }
?>

Cookies are only stored in $_COOKIE if the browser send them. This means the cookie isn't stored in the array after you called the setcookie function.

<?php
setcookie
("Name""Value");
echo 
$_COOKIE['Name']; // doesn't work (unless there is already such a cookie)
?>

A setcookie call sends the request to save a cookie to the client, so the $_COOKIE array isn't filled yet. This is only possible if the browser can do a time travel back and send the request with the cookie.

To check if a cookie is send use the isset function. After this check you can read the cookie without getting an error message.

4. Delete a cookie

There is no function to delete a cookie, but you can use setcookie to delete one. To delete a cookie you should set the lifetime value to a time in the past. To be sure you should set the value of the cookie to an invalid value like an empty string.

<?php
setcookie
("Name"""time()-60*60*24);
?>

5. Security for external values

As the cookies are stored at the client you shouldn't trust the values you get. A cookie login=1 shouldn't be enought to get logged in into your system. Additional you should check if the values are in a form which are expected like numbers are really numbers to prevent any injections like SQL injections.

Questions about the chapter

No questions

Back to Next to
Copyright © to the OPs of #php/QuakeNet Valid XHTML 1.0 Strict Valid CSS!