Blog

How Do Cookies in PHP Work?

Cookies in PHP are essential for managing user sessions and storing data across web pages. Understanding them can help solve issues like maintaining user login states or storing preferences without overloading the server. Curious about creating a smoother user experience? Keep reading to master ‘Cookies in PHP’ and enhance your web projects!

What Are Cookies in PHP?

Cookies in PHP are small pieces of data that a web server stores in a user’s web browser. These cookies allow websites to remember information about users between different page requests.

Since HTTP is a stateless protocol, cookies help maintain continuity by storing user-related data on the client side.

In simple terms, a cookie acts like a memory that helps a website recognize returning users and remember their preferences.

Key Characteristics of Cookies

  • Small data stored in the user’s browser
  • Created by the web server
  • Sent back to the server with each request
  • Used to remember user information
  • Have an expiration time

Example Use Cases of Cookies in PHP

Cookies are widely used in real-world web applications to improve user experience and functionality.

Common Use Cases

  • User Login Sessions
    Cookies store login identifiers so users stay logged in across pages.
  • Remember User Preferences
    Websites remember settings like language, theme, or location.
  • Shopping Cart Tracking
    E-commerce platforms store selected products in cookies until checkout.
  • Website Analytics
    Cookies track user behavior such as page visits and session duration.

Why Cookies Are Used in PHP

Cookies are used in PHP to manage user state and store small amounts of data on the client side. They play a critical role in building interactive and personalized web applications.

Technical Purpose of Cookies

Stateless Nature of HTTP

HTTP does not remember previous requests. Each request is treated as independent.

Cookies solve this limitation by storing user data between requests.

For example:

  • User logs in
  • Server creates a cookie
  • Browser sends cookie with future requests
  • Server recognizes the user

Client-Side Storage

Cookies store data directly in the user’s browser instead of the server.

This reduces server processing and allows faster data retrieval.

User Identification

Cookies help identify users uniquely by storing identifiers such as:

  • User ID
  • Session token
  • Authentication status

Session Persistence

Cookies maintain session continuity even when users:

  • Navigate between pages
  • Refresh the browser
  • Return to the website later

Benefits of Using Cookies in PHP

Faster User Experience

Cookies allow quick retrieval of stored data without repeated server processing.

Personalization

Websites can customize content based on user preferences stored in cookies.

Examples:

  • Dark mode settings
  • Language selection
  • Recommended products

Reduced Server Load

Since cookies store data on the client side, servers handle fewer repeated requests, improving performance and scalability.

Syntax for Creating Cookies in PHP

In PHP, cookies are created using the setcookie() function. This function sends a cookie from the server to the user’s browser.

Standard Syntax

setcookie(name, value, expire, path, domain, secure, httponly);

This function must be called before any HTML output is sent to the browser.

Parameters of setcookie() Function

name

The name of the cookie.

Example:

setcookie("username", "John");

value

The data stored inside the cookie.

This can include:

  • Username
  • User ID
  • Preferences

expiration time

Specifies how long the cookie will remain valid.

Example:

time() + 3600

This sets the cookie to expire after 1 hour.

path

Defines where the cookie is available on the website.

Example:

"/"

Meaning:

Accessible across the entire website.

domain

Specifies the domain where the cookie is valid.

Example:

"example.com"

secure

Determines whether the cookie is sent only over HTTPS connections.

Values:

  • true
  • false

httponly

Prevents JavaScript from accessing the cookie, improving security.

Values:

  • true
  • false

How to Set Cookies in PHP

Setting a cookie in PHP involves calling the setcookie() function with a name, value, and expiration time.

Example: Setting a Cookie

setcookie("username", "John", time() + 3600);

Explanation of the Example

Cookie Name

username

This identifies the cookie.

Cookie Value

John

This is the data stored in the cookie.

Expiration Time

time() + 3600

Meaning:

The cookie will expire after 3600 seconds (1 hour).

If no expiration time is provided, the cookie becomes a session cookie and is deleted when the browser closes.

How to Retrieve Cookies in PHP

Cookies stored in the browser can be accessed in PHP using the $_COOKIE superglobal array.

This array contains all cookies sent by the browser to the server.

Example: Retrieving a Cookie

echo $_COOKIE["username"];

Explanation

$_COOKIE Superglobal

$_COOKIE is a built-in PHP associative array that stores cookie data.

Example structure:

$_COOKIE["cookie_name"]

Accessing Stored Cookie Data

When the browser sends the cookie back to the server, PHP reads it using:

$_COOKIE["username"]

Output:

John

How to Delete Cookies in PHP

Deleting a cookie in PHP is done by setting the cookie’s expiration time to a value in the past.

When the browser detects that the cookie has expired, it automatically removes it.

Example: Deleting a Cookie

setcookie("username", "", time() - 3600);

Explanation

Expiration in the Past

time() - 3600

This sets the expiration time to one hour earlier than the current time.

Browser Removes Cookie

Once the browser receives the expired cookie:

  • The cookie becomes invalid
  • The browser deletes it automatically
  • The data is no longer available

Real-Life Uses of Cookies in PHP


  1. Google: Personalized Advertising
    Google uses cookies to tailor ads according to user preferences. When users visit a site, cookies save their search data, which helps in showing relevant ads later.

        // Set a cookie
        setcookie("user_preferences", "sports_cars", time() + (86400 * 30), "/");

    // Retrieve the cookie    
    if(isset($_COOKIE["user_preferences"])) {
        $adCategory = $_COOKIE["user_preferences"];
        echo "Ads related to $adCategory will be displayed.";
    }
    Output: Users receive adverts that match their interests, improving ad engagement and revenue.
  2. Amazon: Shopping Cart Functionality
    Amazon uses cookies to preserve items in a shopping cart even when users leave the site. This ensures that users can continue shopping from where they left off upon returning.

        // Set a cookie
        setcookie("cart_items", "item5,item7", time() + (86400 * 30), "/");

    // Retrieve the cookie    
    if(isset($_COOKIE["cart_items"])) {
        $cartContents = $_COOKIE["cart_items"];
        echo "Current items in your cart: $cartContents.";
    }
    Output: Provides a seamless shopping experience by maintaining cart data across sessions.
  3. Facebook: Login Persistence
    Facebook utilises cookies to keep users logged in. When users tick ‘Keep me logged in’ on their devices, a cookie ensures they don’t have to log in repeatedly.

        // Set a login cookie
        setcookie("user_login", "logged", time() + (86400 * 30), "/");

    // Check login status    
    if(isset($_COOKIE["user_login"])) {
        echo "Welcome back! You are still logged in.";
    }
    Output: Enhances user experience by reducing login friction.

Cookies vs Sessions in PHP

Both cookies and sessions are used in PHP to store user-related data and maintain state across web pages. However, they differ significantly in how and where data is stored, as well as in their security and usage patterns.

Cookies store data on the user’s browser, while sessions store data on the server. Because of this architectural difference, sessions are generally considered more secure and suitable for sensitive information.

Comparison Table: Cookies vs Sessions in PHP

FeatureCookiesSessions
Storage LocationBrowserServer
SecurityLess secureMore secure
Size LimitSmall (typically ~4 KB)Larger (depends on server configuration)
LifetimeSet by developerUntil session ends or timeout occurs

When to Use Cookies vs Sessions

Use cookies when:

  • You need to store small amounts of non-sensitive data
  • Data should persist after the browser closes
  • You want faster access without server storage

Use sessions when:

  • Storing sensitive user data
  • Managing authentication securely
  • Maintaining temporary server-side state

Security Best Practices for Using Cookies in PHP

Security is critical when working with cookies because they are stored on the client side and can be modified or intercepted if not properly configured. Following best practices reduces the risk of attacks such as session hijacking, cross-site scripting (XSS), and data tampering.

Use HttpOnly Flag

The HttpOnly flag prevents JavaScript from accessing the cookie. This protects against cross-site scripting (XSS) attacks.

Why it matters:
Attackers cannot steal cookies using malicious scripts.

Use Secure Flag

The Secure flag ensures that cookies are transmitted only over HTTPS connections.

Why it matters:
This prevents cookies from being intercepted during data transmission.

Avoid Storing Sensitive Data

Never store sensitive information directly in cookies, such as:

  • Passwords
  • Credit card numbers
  • Personal identification data
  • Authentication credentials

Instead, store:

  • Session IDs
  • Tokens
  • Non-sensitive preferences

Set Proper Expiration Time

Cookies should have an appropriate expiration time based on their purpose.

Examples:

  • Login session → Short expiration
  • User preferences → Longer expiration
  • Temporary data → Very short expiration

This reduces security risks and unnecessary storage.

Validate Cookie Data

Always validate cookie data before using it in your application.

Example checks:

  • Data type validation
  • Length validation
  • Format validation
  • Existence check

This prevents malicious input and application errors.

Secure Cookie Example in PHP

setcookie("user", "John", time()+3600, "/", "", true, true);

Explanation of Parameters

  • “user” → Cookie name
  • “John” → Cookie value
  • time()+3600 → Expires in 1 hour
  • “/” → Available across the website
  • “” → Domain (default)
  • true → Secure (HTTPS only)
  • true → HttpOnly (not accessible via JavaScript)

This configuration follows standard security best practices.

Common Errors When Working With Cookies in PHP

Developers often encounter issues when implementing cookies due to the way HTTP headers and browser behavior work. Understanding these common errors helps diagnose problems quickly.

Headers Already Sent Error

This is one of the most frequent errors in PHP when working with cookies.

Cause

Cookies are sent as part of HTTP headers. If any output is sent to the browser before calling setcookie(), PHP cannot modify the headers.

Examples of output:

  • HTML content
  • echo statements
  • whitespace before <?php
  • BOM characters

Incorrect Example

echo "Hello";
setcookie("user", "John");

Correct Example

setcookie("user", "John");
echo "Hello";

Cookie Not Working

Sometimes cookies fail to store or retrieve data correctly. This issue usually relates to browser settings or incorrect configuration.

Browser Settings

Some users disable cookies in their browser, preventing cookies from being stored.

Result:

The application cannot maintain user state.

Expiration Issues

If the expiration time is set incorrectly, the cookie may expire immediately.

Example problem:

time() - 3600

This sets the cookie in the past.

Path Mismatch

If the cookie path is incorrect, the browser may not send the cookie to certain pages.

Example:

  • Cookie path set to /admin
  • Page accessed from /home

Result:

Cookie will not be available.

Best Practices for Using Cookies in PHP

Following best practices ensures reliable behavior, better performance, and stronger security in production environments.

Set Expiration Time Carefully

Choose expiration time based on the use case.

Examples:

  • Session login → Short duration
  • Preferences → Longer duration
  • Temporary data → Very short duration

Use Secure Cookies for HTTPS

Always enable the Secure flag when your website uses HTTPS.

setcookie("user", "John", time()+3600, "/", "", true, true);

This ensures encrypted transmission.

Keep Cookie Size Small

Cookies are sent with every HTTP request. Large cookies increase network overhead and slow down performance.

Best practice:

Keep each cookie under 4 KB.

Validate Cookie Values

Never trust user-controlled data.

Always:

  • Check data type
  • Validate format
  • Sanitize input
  • Handle missing values

Use Sessions for Sensitive Data

Sessions are stored on the server and provide better security for critical information.

Use sessions for:

  • Authentication
  • Payment data
  • Personal information
  • User permissions

When Should You Use Cookies in PHP?

Cookies should be used when you need to store small, persistent data on the client side and maintain user state across visits.

Common Use Cases for Cookies

Login Persistence

Cookies allow users to remain logged in after closing and reopening the browser.

Example:

“Remember Me” functionality.

User Preferences

Cookies store personalized settings.

Examples:

  • Theme (dark/light mode)
  • Font size
  • Layout preferences

Language Settings

Websites store the user’s preferred language to display content automatically.

Example:

  • English
  • Hindi
  • Spanish

Tracking User Behavior

Cookies help analyze user activity for performance and usability improvements.

Examples:

  • Page visits
  • Session duration
  • Navigation patterns

Authentication Tokens

Cookies store secure tokens that verify user identity during sessions.

Used in:

  • Login systems
  • API authentication
  • Secure web applications

PHP Cookies Interview Questions

  1. How can I set a cookie with a specific path in PHP?
    To set a cookie with a specific path in PHP, you can use the `setcookie()` function, specifying the path parameter. For example, to set a cookie accessible only to the `/blog` directory: 
    setcookie("user", "JohnDoe", time() + 3600, "/blog/");
    Setting the path ensures the cookie is sent only to that directory and its subdirectories.

  2. Can I read all cookies at once in PHP?
    Yes, you can read all cookies at once by accessing the `$_COOKIE` superglobal array. This array holds all the cookies available to your script: 
    print_r($_COOKIE);
    This will display an associative array of all cookies; they can be accessed using their respective keys.

  3. How do cookies in PHP handle special characters?
    To safely use special characters in cookies, you should URL encode and decode the cookie value using `urlencode()` and `urldecode()` functions: 
    setcookie("user", urlencode("John Doe & Friends")); // Encoding
echo urldecode($_COOKIE['user']); // Decoding
    This ensures that any special characters don’t cause errors when setting or reading cookies.

  4. What happens if I try to set a cookie after the headers are sent?
    If you attempt to set a cookie after the HTTP headers have been sent, PHP will trigger a “Cannot modify header information” warning. Always make sure to call `setcookie()` before any output is sent from your script.

  5. Is there a way to make cookies in PHP secure and HTTP-only?
    Yes, when using `setcookie()`, you can set the `secure` and `httponly` flags to true: 
    setcookie("user", "JohnDoe", time() + 3600, "/", "", true, true);
    The `secure` flag ensures the cookie is sent only over HTTPS connections, and `httponly` makes it inaccessible to JavaScript, enhancing security.

  6. How can I handle cookie expiration in PHP?
    You handle cookie expiration by setting an expiration time in the `setcookie()` function. The time is set using the `time()` function plus the number of seconds until expiry: 
    setcookie("user", "JohnDoe", time() + 3600); // Expires in 1 hour
    When the expiration time is reached, the cookie is automatically deleted by the client’s browser.

  7. What is a scenario where cookies in PHP may not work as expected?
    Cookies might not work if the user’s browser is set to block cookies, or if there’s a mismatch between the domain and path set for the cookie. Double-check your domain and path settings in `setcookie()` to ensure they’re correct.

  8. How do I delete a cookie in PHP?
    To delete a cookie, set the expiration date in the past using `setcookie()`: 
    setcookie("user", "", time() - 3600);
    This tells the browser that the cookie has expired and should be removed.

Our AI-powered php online compiler offers a seamless coding experience. Instantly write, run, and test your ‘php’ code with the help of AI. It’s designed to streamline your coding process, making it quicker and more efficient. Try it out, and see the difference AI can make!

Conclusion

Learning how to manage Cookies in PHP offers the invaluable ability to personalise user experiences, making your web applications more engaging and interactive. Feel the satisfaction of seeing your code work seamlessly in real-life scenarios. Curious to master more? Explore Newtum for other programming languages!

Edited and Compiled by

This article was compiled and edited by @rasikadeshpande, who has over 4 years of experience in writing. She’s passionate about helping beginners understand technical topics in a more interactive way.

About The Author

Sakshi Shelar

See author's posts