Login/Register
Setting cookie using header("Set-cookie") vs setcookie() function
Asked Answered
Solved phpcookies
B

5

15

I'm refactoring some code and found something I've never seen. the function is used for user to set cookie when user logs in:

  function setUserCookie($name, $value) {
     $date = date("D, d M Y H:i:s",strtotime('1 January 2015')) . 'GMT';
     header("Set-Cookie: {$name}={$value}; EXPIRES{$date};");
  }

now that I've been assigned to refactor code I'm planning to use setcookie function which essentially does same thing according to php.net.

My question is: is there any difference between two and which one should I use?

NOTE: this code was written long time ago so I'm assuming that at that time setcookie didnt exist?

Brickyard answered 6/6, 2013 at 21:3 Comment(1)
You might find new Cookie($name) helpful, as found in this standalone library. So that's a third option for setting cookies. Honestly, never set the HTTP header directly. Use the built-in PHP function or the constructor cited here in order to set cookies with properly escaped values using header values that are built automatically.Toadfish
B
8

There's no good reason not to use setcookie. The above code doesn't properly encode names and values, so that's at least one major benefit to refactoring.

Broadway answered 6/6, 2013 at 21:9 Comment(2)
setcookie() doesn't pass 2038 on 32-bit systems. It's an issue for web servers on embedded platforms (they won't be updated).Insecure
setcookie() does not have a Psr-7 equivalent without using a compatibility package.Polard
D
5

The difference between the two functions is that header() is the general function for setting HTTP headers while setcookie() is specifically meant to set the Set-Cookie header.

header() therefore takes a string containing the complete header, while setcookie() takes several cookie-specific arguments and then creates the Set-Cookie header from them.

Dessau answered 24/2, 2017 at 11:35 Comment(0)
P
5

Here's a use case in which you can't use setcookie

  • you run a website on PHP<7.3
  • you have to set 'SameSite' cookie attribute

You can achieve that by exploiting a bug in setcookie, but I wouldn't rely on a bug as it gets fixed over time: setcookie('samesite-test', '1', 0, '/; samesite=strict');

Or you can use PHP header function: header("Set-Cookie: samesite-test=1; expires=0; path=/; samesite=Strict");

Note that secure option is required when setting samesite attribute

Peru answered 20/10, 2020 at 19:2 Comment(1)
Well done. This is exactly what I was looking for my PHP 5.5+server. Thanks for the reply.Morpheme
F
3

I replicated what I believe to be the exact behavior of setCookie programmatically. Here is my implementation, if it can be useful for anyone else.

function setUserCookie($name, $value, $expires = 0, $path = "", $domain = "", $secure = false, $http_only = false) {
   $value = rawurlencode($value);
   date_default_timezone_set('UTC');
   $date = date("D, d-M-Y H:i:s",$expires) . ' GMT';
   $header = "Set-Cookie: {$name}={$value}";
   if($expires != 0) {
     $header .= "; expires={$date}; Max-Age=".($expires - time());
   }
   if($path != "") {
     $header .= "; path=".$path;
   }
   if($domain != "") {
     $header .= "; domain=".$domain;
   }
   if($secure) {
     $header .= "; secure";
   }
   if($http_only) {
     $header .= "; HttpOnly";
   }
   header($header, false);
}

The difference with your function are exactly the difference with setCookie (more arguments like custom expires, path, domain, secure and httpOnly). Especially, note the second argument to "header" (false) so that it becomes possible to place multiple cookies with different calls to the function.

Fallon answered 12/9, 2021 at 21:57 Comment(0)
M
2

One big difference is, that setcookie always sets host_only=false and there is nothing you can do about it.

So if you have to set host_only=true for whatever reasons you have to use the header method. As far as I know.

Meras answered 26/8, 2019 at 11:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.