After a cookie is set, only the originating host can read the data, ensuring that the user's privacy is respected. Furthermore, the user can configure her browser to notify her upon receipt of all cookies, or even to refuse all cookie requests. For this reason, cookies should be used in moderation and should not be relied on as an essential element of an environment design without first warning the user.
The Anatomy of a Cookie
A PHP script that sets a cookie might send headers that look something like this:
HTTP/1.1 200 OK Date: Tue, 07 May 2006 13:39:58 GMT Server: Apache/2.0.58 (Unix) PHP/5.1.4 X-Powered-By: PHP/5.1.4 Set-Cookie: vegetable=artichoke; path=/; domain=yourdomain.com Connection: close Content-Type: text/html
As you can see, this Set-Cookie header contains a name/value pair, a path, and a domain. If set, the expiration field provides the date at which the browser should "forget" the value of the cookie. If no expiration date is set, the cookie expires when the user's session expiresthat is, when he closes his browser.
The path and domain fields work together, as the path is a directory found on the domain, below which the cookie should be sent back to the server. If the path is "/", which is common, that means the cookie can be read by any files below the document root. If the path were "/products/", the cookie could be read only by files within the /products directory of the website.
The domain field represents that Internet domain from which cookie-based communication is allowed. For example, if your domain is www.yourdomain.com and you use www.yourdomain.com as the domain value for the cookie, the cookie will be valid only when browsing the www.domain.com website. This could pose a problem if you send the user to some domain like www2.domain.com or billing.domain.com within the course of his browsing experience because the original cookie will no longer work. Thus, it is common to simply begin the value of the domain slot in cookie definitions with a dot, leaving off the host, for example, .domain.com. In this manner, the cookie will be valid for all hosts on the domain. The domain cannot be different from the domain from which the cookie was sent; otherwise, the cookie will not function properly, if at all, or the web browser will refuse the cookie in its entirety.
If your web browser is configured to store cookies, it keeps the cookie-based information until the expiration date. If the user points the browser at any page that matches the path and domain of the cookie, it will resend the cookie to the server. The browser's headers might look something like this:
GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows; U; Win98; it; rv:18.104.22.168) Gecko/20060111 Firefox/22.214.171.124 Host: www.yourdomain.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en, pdf Accept-Charset: iso-8859-1, *, utf-8 Cookie: vegetable=artichoke
A PHP script will then have access to the cookie in the environment variable HTTP_COOKIE or as part of the $_COOKIE superglobal variable, which you may access three different ways:
echo $_SERVER["HTTP_COOKIE"]; // will print "vegetable=artichoke" echo getenv("HTTP_COOKIE"); // will print "vegetable=artichoke" echo $_COOKIE["vegetable"]; // will print "artichoke"