Section 13.1. Cookies

13.1. Cookies

You can track certain user details like the number of visits, names, or the date of the last visit using cookies, which are small bits of text stored on the client that have been available since Netscape 1.0. The client machine stores this information and sends it to the web server whenever there is a request. Cookies data is sent along with the HTTP headers.

After the first visit to a web site, the browser returns a copy of the cookie to the server each time it connects. For security reasons, cookies can be read only from the domain that created them. Additionally, cookies have an expiration date after which they're deleted. The maximum size of data that a cookie can hold is 4 KB.

Cookies are different from sessions, because cookies are stored on the client's disk, whereas a session stores the bulk of its data on the server. Sessions are basically like tokens, which are generated at authentication. This means that a session is available as long as the browser is opened. Sessions actually use a single cookie by default to track their token or session identifier.

Figure 13-1 illustrates where cookies are stored when a web browser requests pages; in this example, http://example.com/set.php followed by http://example.com/read.php. The actual key storage resides on the client's browser after the first page is requested. When the client requests the second page, it also sends the cookie data to the server.

Figure 13-1. Client browser and server interaction with cookies

Sessions are popularly used, as there's a chance of your cookies getting blocked if the user's browser security setting is high. Sessions provide a fall back of passing the session identifier from page to page if cookies are disabled.

When you issue _session_start, it generates a session ID and places that on the client side in a cookie. There are ways to avoid this, such as using the tag rewrite.

Mostly the server uses the cookie to remember the user and maintain the illusion of a session that spans multiple pages. Everything you could possibly want to know about cookies can be found at http://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q10.

13.1.1. Setting a Cookie

PHP provides an easy way to set a cookie: the function setcookie.

Because cookies are generated as part of HTML page headers, it's important that you call setcookie before sending any other output.

The function takes a name for the cookie as a parameter. You can optionally specify other details; for example:

 setcookie ( name , value , expire , path, domain , secure )

Table 13-1 lists the parameter values and their meanings for setcookie.

Table 13-1. setcookie parameters
Parameter	Meaning	Example value
name	The name that the cookie will use for storage and retrieval.	username
value	The value stored in the cookie.	michele
expire	A Unix timestamp when the cookie expires. If not set, the cookie expires when the user closes her browser.	`Time()+606024*7` tells the cookie to expire in a week
path	The URL paths on the site that can access the cookie. Defaults to /, which means all directories can access the cookie.	/testing
domain	Similar to a `path`, except access can be limited to a subdomain of a site.	To limit access to only www on site example.com use `www.example.com`. To grant access to all domains, use `.example.com`.
secure	If set to 1, cookies are sent only over a secure HTTPS connection. HTTPS connections use encryption between the client and the browser to secure data.	0 for secure and 1 for insecure, which is the default.

Example 13-1 shows how to create a cookie with the name username and the value michele.

Example 13-1. Creating a cookie

 <?php //remember that setcookie must come before any other line that generates output setcookie("username","michele"); echo 'Cookie created.'; ?>

The cookie was set, but you won't be able to read it until the client reloads the page or browses to another page.

13.1.2. Accessing a Cookie

Cookies can be accessed one of two ways. They're accessible from the $_COOKIE environmental variable with the syntax $_COOKIE['cookiename'], as demonstrated in Example 13-2.

Example 13-2. Viewing the username cookie

 <?php if (!isset($_COOKIE['username'])) {   echo ("Opps, the cookie isn't set!"); } else {   echo ("The stored username is ". $_COOKIE['username'] . "."); } ?>

This code displays with the stored username:

 The stored username is michele.

You can also see all cookies by accessing the super global variable $_SERVER[HTTP_COOKIE].

13.1.3. Destroying a Cookie

Cookies can be destroyed or deleted by the client or the server. Clients can easily delete their cookies by locating the Cookies folder on their system and deleting them. The server can delete the cookies by:

Resetting a cookie by specifying expiration time
Resetting a cookie by specifying its name only

In both instances, you'd use the setcookie command. To destroy a cookie by specifying the expiration time, simply call setcookie with a past expiration date, as is done in Example 13-3.

Example 13-3. Destroying a cookie by expiring it in the recent past

 <?php //remember that setcookie must come before any other line that generates output setcookie("username","", time()-10 ); echo 'Rosebud.'; ?>

Example 13-3 returns:

 Rosebud.

Now if you called the code in Example 13-2 again, you'd get:

 Oops, the cookie isn't set!

Sometimes you may want to restrict pages from being viewed by everyone. Do this by using PHP to get authentication from the HTTP server.