PHP - Cookies Tutorial
From Global Programming Syntax
Cookies are a very basic part of PHP and are required mainly for passing data between pages. In this tutorial you will learn how to use cookies and best practices. As a note you may be interested that sessions also use cookies (1 cookie) for user identification. This cookie by default is called PHPSESSID.
Basic Usage
Now that you have heard of cookies you may want to actually make one. There are three simple steps to setting up a cookie. First step is to decide the cookie name. So for this cookie I will call it 'yummy'. Then you need to decide a value for it. So I have decided 'Chocolate chip'. Then third step is when the cookie expires. To make the cookie last for a year use time()+(60*60*24*365) as the math at the end adds to the current time how many seconds until expiry. Also note that when using the setcookie() function you must use it before any browser output. If there is browser output before the setcookie function then you will get an error message. So below is an example of all of this.
<?php
setcookie('yummy','Chocolate chip',time()+(60*60*24*365)); //no browser output before here
echo $_COOKIE['yummy'];
?>
Now you have a cookie that expires in 1 years time and is called yummy with the value 'Chocolate chip'. Next you might ask how do I use this cookie. Like in the above example you use the $_COOKIE array to retrieve all of your cookies. So all you need to do is echo $_COOKIE['cookiename']; Also note that the cookie value will not be retrieved until the page has been refreshed. So the best method would be as follows:
<?php
if (true) {
$_COOKIE['yummy']='Chocolate chip';
setcookie('yummy','Chocolate chip',time()+(60*60*24*365)); //no browser output before here
}
echo $_COOKIE['yummy'];
?>
So in the above example if the cookie is created and is shown. But remember to adjust the if statement to your needs. Now you have a fully functional cookie. Next you might ask how do I delete the cookie. That is simple. You set the cookie to no value with the expiry to 0. So below is an example to delete the yummy cookie.
setcookie('yummy','',0); //no browser output before here
And once again you can't put browser output before that line.
Security
You may want to note that just because the data is stored in a cookie doesn't mean that it's secure. A user can easily create or modify a cookie to inject nasty data into your php script. Examples may include if you just use the users username in a cookie as the only varification then that user could easily change the cookie to anybody elses username and gain access to other peoples data. To avoid this you need to use hashes. For example, if you used a hash of a username with a long sault then the user will have a hard time trying to inject somebody elses unique hash id as there are so many combinations.
This also applies to when you echo a cookie. You should never use the following code as is.
echo $_COOKIE['mycookie'];
//instead use the below
echo htmlentities($_COOKIE['mycookie']);
This is because a user could replace the contents of the cookie with html code and Javascript scripts which link to malicious websites. But with the htmlentities function, the < and > symbols are encoded in a way which they are not executed as html or javascript code.
