setcookie() / $_COOKIE Since: PHP 4(2000)
Sends a Cookie to the client's browser, making the value available via $_COOKIE on subsequent requests. Used to save user preferences and implement "keep me logged in" functionality.
Syntax
// Send a Cookie. setcookie($name, $value, $expires_or_options, $path, $domain, $secure, $httponly); // As of PHP 7.3, options can be specified as an array. setcookie($name, $value, $options); // Retrieve a Cookie value. $_COOKIE['name'];
Functions / Variables
| Function / Variable | Description |
|---|---|
| setcookie($name, $value, $options) | Sends a Cookie in the HTTP response header to the browser. Must be called before any HTML output. |
| $_COOKIE | A superglobal array that holds Cookie values sent by the client. Values are not available in the request that sets the Cookie — they can be accessed starting from the next request. |
Options
| Option | Description |
|---|---|
| expires | Specifies the Cookie's expiration time as a Unix timestamp. Setting it to 0 keeps the Cookie until the browser is closed. |
| path | Specifies the path on the server where the Cookie is available. Setting it to "/" makes the Cookie available across the entire site. |
| domain | Specifies the domain the Cookie is available on. To include subdomains, prefix the domain with a dot, e.g. ".example.com". |
| secure | When set to true, the Cookie is only sent over HTTPS connections. |
| httponly | When set to true, the Cookie cannot be accessed via JavaScript. |
| samesite | Specifies one of "Strict", "Lax", or "None". Useful for CSRF protection. |
Sample Code
<?php
// Set a Cookie that is valid for 30 days.
setcookie('username', 'John Doe', [
'expires' => time() + 60 * 60 * 24 * 30, // Expires in 30 days.
'path' => '/',
'secure' => true,
'httponly' => true,
'samesite' => 'Lax'
]);
// Retrieve the Cookie value. Available from the next request onward.
if (isset($_COOKIE['username'])) {
echo "Hello, " . htmlspecialchars($_COOKIE['username']) . "!";
}
// Example implementation of a "keep me logged in" feature.
$remember_token = bin2hex(random_bytes(32)); // Generate a secure token.
setcookie('remember_token', $remember_token, [
'expires' => time() + 60 * 60 * 24 * 30,
'path' => '/',
'secure' => true,
'httponly' => true,
'samesite' => 'Lax'
]);
// Save a theme preference in a Cookie.
$theme = 'dark';
setcookie('theme', $theme, [
'expires' => time() + 60 * 60 * 24 * 365, // Valid for one year.
'path' => '/',
'secure' => true,
'httponly' => false, // Set to false so JavaScript can also read it.
'samesite' => 'Lax'
]);
// To delete a Cookie, set its expiration date to the past.
setcookie('username', '', [
'expires' => time() - 3600, // Set to one hour ago to expire it immediately.
'path' => '/',
'secure' => true,
'httponly' => true,
'samesite' => 'Lax'
]);
// Inspect all current Cookies.
foreach ($_COOKIE as $name => $value) {
echo $name . ": " . htmlspecialchars($value) . "\n";
}
Notes
setcookie() sends a Cookie to the browser via the HTTP response header. You cannot call setcookie() after any output has been sent — even a single byte. Always set Cookies at the very beginning of your PHP script.
Cookie values are stored on the client side and can be freely modified by the user. Do not store security-sensitive data in Cookies; use server-side sessions instead. Limit Cookie storage to non-sensitive data such as theme or language preferences that are safe to tamper with.
Always escape Cookie values with htmlspecialchars() when outputting them, as a defense against XSS. Also note that values written to $_COOKIE are not available in the same request — they can only be read starting from the next request.
If you find any errors or copyright issues, please contact us.
シェアする