After a cookie is set, only the originating host can read the data, ensuring that the user's privacy is respected. Furthermore, the user can configure her browser to notify upon receipt of all cookies, or even to refuse all cookie requests. For this reason, cookies should be used in moderation and should not be relied on as an essential element of an environment design without first warning the user.
The Anatomy of a Cookie
A PHP script that sets a cookie might send headers that look something like this:
HTTP/1.1 200 OK Date: Mon, 23 Aug 2004 13:39:58 GMT Server: Apache/2.0.52 (Unix) PHP/5.0.2 X-Powered-By: PHP/5.0.2 Set-Cookie: vegetable=artichoke; path=/; domain=yourdomain.com Connection: close Content-Type: text/html
As you can see, this Set-Cookie header contains a name/value pair, a path, and a domain. If set, the expiration field provides the date at which the browser should "forget" the value of the cookie. If no expiration date is set, the cookie will expire when the user's session expireswhen they close their browser.
The path and domain fields work together, as the path is a directory found on the domain, below which the cookie should be sent back to the server. If the path is "/", which is common, that means the cookie can be read by any files below the document root. If the path were "/products/" then the cookie could only be read by files within the /products directory of the Web site.
The domain field represents that Internet domain from which cookie-based communication is allowed. For example, if your domain is www.yourdomain.com and you use www.yourdomain.com as the domain value for the cookie, the cookies will only be valid when browsing the www.domain.com Web site. This could pose a problem if you send the user to some domain like www2.domain.com or billing.domain.com within the course of their browsing experience, as the oroginal cookie will no longer work. Thus, it is common to simply begin the value of the domain slot in cookie definitions with a dot, leaving off the host, for example, .domain.com. In this manner, the cookie will be valid for all hosts on the domain. The domain cannot be different from the domain from which the cookie was sent, otherwise the cookie will not function properly, if at all, or the Web browser will refuse the cookie in its entirety.
If your Web browser is configured to store cookies, it will then keep the cookie-based information until the expiration date. If the user points the browser at any page that matches the path and domain of the cookie, it will resend the cookie to the server. The browser's headers might look something like this:
GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Host: www.yourdomain.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en,pdf Accept-Charset: iso-8859-1,*,utf-8 Cookie: vegetable=artichoke
A PHP script will then have access to the cookie in the environment variable HTTP_COOKIE or as part of the $_COOKIE superglobal:
echo "$_SERVER[HTTP_COOKIE]<BR>"; // will print "vegetable=artichoke" echo getenv("HTTP_COOKIE")."<BR>"; // will print "vegetable=artichoke" echo $_COOKIE['vegetable']."<BR>"; // will print "artichoke"