Cookies allow websites to store and retrieve information on the client side. They are useful for maintaining state, such as keeping users logged in or tracking shopping cart items. Cookies are set using the setcookie() function and accessed via the $_COOKIE superglobal array. Key points are to set cookies before any output, specify an expiration time/domain appropriately, and check for cookies on subsequent pages to verify authentication or retrieve stored information.

1. Cookies
Set a cookie – setcookie()
Extract data from a cookie - $_COOKIE
Augment user authentication script
with a cookie

2. What are cookies?
• Web transactions are “memory-less”
• A cookie is a text file that a website stores on a
client’s computer to maintain information about
the client during and between browsing sessions.
• Useful for:
– Shopping carts
– User communities
– Personalized sites
• Not recommended for storing sensitive data
• Store a unique identification string that will
match a user held securely in a database

3. Shopping example
• Assign an identification variable to a user to track
what he does when he visits your site
1. User logs in
2. Send a cookie with variables to say “This is Joe, and Joe
is authenticated”
3. While Joe is surfing your site, you can respond “Hello,
Joe!” on every page
4. If Joe clicks through your catalog and chooses 3 items
to buy, you can keep track of these items
5. Display the items together when Joe goes to the
checkout area

4. Setting Cookies
• A server can access only the cookies that it has placed on the client.
• setcookie() function with parameters:
1. Name – cookie name accessible in subsequent scripts
2. Value – cookie value passed to name
3. Expiration– (optional) sets a specific time in seconds when the cookie
values is no longer accessible e.g. time() + 24*60*60*3 to expire in 3 days
– A cookie without expiration is known as a session cookie,
– A cookie with an expiration time is a persistent cookie.
1. Path – Directories the cookie is valid
– "/“ valid for all files and directories in the website
– Specific directory: cookie valid for pages within that directory
1. Domain- only valid for the host and domain that set them
– If no domain, host name of the server that generated the cookie
6. Security –
– 1 or TRUE: cookie will only be transmitted via HTTPS i.e. secure web site
– 0 or FALSE: non-secure

5. Example
• setcookie( “id”,
“55adb984523afer”,
time() + 14400,
“/”,
“yourdomain.com”,
0);
// 4 hours

6. Bad cookie setting
• Cookies defined in function setcookie are
sent to the client at the same time as the
information in the HTTP header; therefore, it
needs to be called before any XHTML is
printed.
• Hence you absolutely must set a cookie
before sending any other content to the
browser
• See m16/bad_cookie.php

7. <html>
<head>
<title>Bad Cookie</title>
</head>
<body>
<?php
setcookie("test", "ok", "", "/", "127.0.0.1", 0);
?>
<h1>Bad Cookie</h1>
</body>
</html>
This is an error in setting cookies.
Setcookie() function should be placed before <html> tag

8. M16/bad_cookie.php

9. M16/16-1setcookie.php
<?php
$cookie_name = "test_cookie";
$cookie_value = "test string!";
$cookie_expire = time()+86400;
$cookie_domain = "127.0.0.1";
setcookie($cookie_name, $cookie_value, $cookie_expire, "/" , $cookie_domain, 0);
?>
<html>
<head>
<title>Set Test Cookie</title>
</head>
<body>
<h1>Mmmmmmmm...cookie!</h1>
</body>
</html>

10. M16/16-1setcookie.php

11. Permanent cookie
• See fig23_16_20 from text
– Cookies.html
– Cookies.php
– Readcookies.php

12. Input for cookies – cookies.html

13. Acknowledgment – cookies.php

14. Read cookies – readcookies.php

15. Augmenting auth_user with cookie
• 16-2show_login.php
– Gets login username and password
– Calls 16-2do_authuser.php to authenticate the login
• 16-2do_authuser.php
– Checks DB to authenticate the login
– If authenticated:
• Set cookie for the user
• displays links to
– secretA.php
– secretB.php

16. 16-2show_login.html

17. Authenticated!

18. Clicking on secretA or secretB link . . .
• We would expect to get into the links

19. Wait! We got redirected back to the login page
• Why?
• Debug . . .

20. In 16-2do_authuser.php:
if ($num !=0){
$cookie_name ="auth";
$cookie_value ="ok";
$cookie_expire ="0";
$cookie_domain ="127.0.0.1";
setcookie($cookie_name,$cookie_value,$cookie_expire,"/",
$cookie_domain,0);
The domain was 127.0.0.1
When we accessed it with http://localhost/m16/16-2secretB.php

21. Repeat the script in 127.0.0.1

22. Authenticated!

23. Clicking on the secretA link

24. Clicking on the secretB link

25. Check if cookie really works
• Exit the session
– Exit completely out of the web browser
• The cookie was a session cookie
• Auth cookie should now have expired
– Reopen the web browser
– Attempt to access 16-2secretB.php
– Since the user is not authenticated anymore, the
user will be redirected to the login page

26. http://127.0.0.1/m16/16-2secretB.php leads to