Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Working properly with cookies

Saturday, December 28th, 2019 by Helge

cookiesYou probably know the many warnings popping up on most websites nowadays, telling you that the site uses cookies. Maybe they even offer you a cookie-free version if you don’t accept. This dialog has been introduced on a wide scale after recent legislation made site owners show this transparency of cookie usage to their visitors. However, the practical benefit or protection for users is still argued about. Most users are more likely to be annoyed, and except for adding the warning, site owners are not really changing their practices. Cookies are an important technical part of operating a website.

Purpose of cookies

Cookies are used to let the server store information in the client’s browser for later use. This is essential to be able to “remember” users. For example a login function where you do not have to login every time you access the site on the same device is powered by cookies. This is done by storing a cookie in the client during the original login, which then later authenticates the user towards the server, because the cookie contains a unique piece of information which the server uses to identify the user. Without cookies the web would not work very well.

Storing a cookie

This post describes how to set up a new cookie using PHP. Thankfully handling cookies in PHP is a simple matter when you know how. It all evolves around PHP’s own setcookie function, which takes a couple of parameters:

setcookie(name, value, expire, path, domain, secure, httponly);

Accessing a cookie

Cookie values are stored in the global $_COOKIE variable. This variable is available anywhere in the code and contains an array of cookies with their relevant data. They are identified by the cookie name as keys in the $_COOKIE array. Please note that cookies are read in to the variable during the beginning of the script execution. The cookies are sent to the webserver and thus PHP, whereafter the values are stored. If you create new cookies, they can be read on the next request from the client to the server. Read cookie data like below:

if (isset($_COOKIE['username']))
  $username = $_COOKIE['username'];

Destroying a cookie

There is no good way of removing a cookie other than overwriting the existing cookie with blank data, and setting an already past expiration date. This will make the browser remove it. Notice how the cookie value is nullified, and the time is in the past:

setcookie('username', null, -1, '/');

Use cookies with care

You should not start tracking all kinds of unnecessary things with cookies nor overload the client’s browser with cookie information. Use cookies when needed, but keep everything else server side. Also pay attention to what information you store and how you store it. E.g. storing the user ID in plain text is not a good idea because an attacker could just change it to another user id, and thus “becoming” that user. Make sure you use proper encryption and/or hashing of data stored in cookies. Please note our posts about session hijacking for more information about the security implications.

References & more reading

Working properly with cookies, 4.9 out of 5 based on 7 ratings
Categories: Guides & Tutorials
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.