Setting a Cookie with PHP

You can set a cookie in a PHP script in two ways. You can use the header() function to set the Set-Cookie header. The header() function requires a string that will then be included in the header section of the server response. Because headers are sent automatically for you, header() must be called before any output at all is sent to the browser:

header ("Set-Cookie: vegetable=artichoke; expires=Wed, 19-Sep-02 14:39:58 GMT;

Although not difficult, this method of setting a cookie would require you to build a function to construct the header string. Formatting the date as in this example and URL encoding the name/value pair would not be a particularly arduous task. It would, however, be an exercise in wheel reinvention because PHP provides a function that does just that.

The setcookie() function does what the name suggests?it outputs a Set-Cookie header. For this reason, it should be called before any other content is sent to the browser. The function accepts the cookie name, cookie value, expiry date in Unix epoch format, path, domain, and integer that should be set to 1 if the cookie is only to be sent over a secure connection. All arguments to this function are optional apart from the first (cookie name) parameter.

Listing 15.6 uses setcookie() to set a cookie.

Listing 15.6 Setting and Printing a Cookie Value
  1:     <?php
  2:     setcookie("vegetable", "artichoke", time()+3600, "/", "", 0);
  3:     ?>
  4:     <html>
  5:     <head>
  6:     <title>Listing 15.6 Setting and printing a cookie value</title>
  7:     </head>
  8:     <body>
  9:     <?php
 10:     if (isset($_COOKIE[vegetable])) {
 11:         print "<p>Hello again, your chosen vegetable is $_COOKIE[vegetable]</p>";
 12:     } else {
 13:         print "<p>Hello you. This may be your first visit</p>";
 14:     }
 15:     ?>
 16:     </body>
 17:     </html>

Even though we set the cookie (line 2) when the script is run for the first time, the $_COOKIE[vegetable] variable will not be created at this point. A cookie is read only when the browser sends it to the server. This will not happen until the user revisits a page in your domain. We set the cookie name to "vegetable" on line 2 and the cookie value to "artichoke". We use the time() function to get the current time stamp and add 3600 to it (there are 3600 seconds in an hour). This total represents our expiry date. We define a path of "/", which means that a cookie should be sent for any page within our server environment. We set the domain argument to "", which means that a cookie will be sent to any server in that group. Finally, we pass 0 to setcookie(), signaling that cookies can be sent in an insecure environment.

Passing setcookie() an empty string ("") for string arguments or 0 for integer fields will cause these arguments to be skipped.

Deleting a Cookie

Officially, to delete a cookie, you should call setcookie() with the name argument only:


This approach does not always work well, however, and should not be relied on. It is safest to set the cookie with a date that has already expired:

setcookie("vegetable", "", time()-60, "/", "", 0);

You should also ensure that you pass setcookie() the same path, domain, and secure parameters as you did when originally setting the cookie.

    Part III: Getting Involved with the Code