Setting a Cookie with PHP

You can set a cookie in a PHP script in two ways. First, you could use the header() function to set the Set-Cookie header. The header() function requires a string that will then be included in the header section of the server response. Because headers are sent automatically for you, header() must be called before any output at all is sent to the browser:

header ("Set-Cookie: vegetable=artichoke; expires=Tue, 07-Mar-06 14:39:58 GMT; path=/; domain=yourdomain.com");

Although not difficult, this method of setting a cookie would require you to build a function to construct the header string. Although formatting the date as in this example and URL-encoding the name/value pair would not be a particularly arduous task, it would be a repetitive one because PHP provides a function that does just thatsetcookie().

The setcookie() function does what its name suggestsit outputs a Set-Cookie header. For this reason, it should be called before any other content is sent to the browser. The function accepts the cookie name, cookie value, expiration date in UNIX epoch format, path, domain, and integer that should be set to 1 if the cookie is only to be sent over a secure connection. All arguments to this function are optional apart from the first (cookie name) parameter.

Listing 12.1 uses setcookie() to set a cookie.

Listing 12.1. Setting and Printing a Cookie Value

 1: <?php 2: setcookie("vegetable", "artichoke", time()+3600, "/", ".yourdomain.com", 0); 3: 4: if (isset($_COOKIE["vegetable"])) { 5:      echo "<p>Hello again, you have chosen: ".$_COOKIE["vegetable"].".</p>"; 6: } else { 7:      echo "<p>Hello you. This may be your first visit.</p>"; 8: } 9: ?>

Even though we set the cookie (line 2) when the script is run for the first time, the $_COOKIE["vegetable"] variable will not be created at this point. Because a cookie is read only when the browser sends it to the server, we won't be able to read it until the user revisits a page within this domain.

We set the cookie name to "vegetable" on line 2 and the cookie value to "artichoke". We use the time() function to get the current time stamp and add 3600 to it (there are 3,600 seconds in an hour). This total represents our expiration date. We define a path of "/", which means that a cookie should be sent for any page within our server environment. We set the domain argument to ".yourdomain.com" (you should make the change relevant to your own domain or use localhost), which means that a cookie will be sent to any server in that group. Finally, we pass 0 to setcookie(), signaling that cookies can be sent in an insecure environment.

Passing setcookie() an empty string ("") for string arguments or 0 for integer fields causes these arguments to be skipped.

By the Way

With using a dynamically created expiration time in a cookie, as in Listing 12.1, note the expiration time is created by adding a certain number of seconds to the current system time of the machine running Apache and PHP. If this system clock is not accurate, it is possible that it may send in the cookie an expiration time that has already passed.

You can view your cookies in most modern web browsers. Figure 12.1 shows the cookie information stored for Listing 12.1. The cookie name, content, and expiration date appear as expected; the domain name will differ when you run this script on your own domain.

For more information on using cookies, and the setcookie() function in particular, see the PHP Manual entry at http://www.php.net/setcookie.

Deleting a Cookie

Officially, to delete a cookie, you call setcookie() with the name argument only: setcookie("vegetable");

This approach does not always work well, however, and should not be relied on. Instead, to delete a cookie, it is safest to set the cookie with a date you are sure has already expired:

setcookie("vegetable", "", time()-60, "/", "yourdomain.com", 0);

Also make sure that you pass setcookie() the same path, domain, and secure parameters as you did when originally setting the cookie.