An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user's web browser. The browser may store the cookie and send it back to the same server with later requests. Typically, an HTTP cookie is used to tell if two requests come from the same browser—keeping a user logged in, for example. It remembers stateful information for the
stateless HTTP protocol. Cookies are mainly used for three purposes: Logins, shopping carts, game scores, or anything else the server should remember User preferences, themes, and other settings Recording
and analyzing user behavior Cookies were once used for general client-side storage. While this made sense when they were the only way to store data on the client, modern storage APIs are now recommended. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web Storage API ( Note: To see stored cookies (and other storage that a web page can use), you can enable the Storage Inspector in Developer Tools and select Cookies from the storage tree. After receiving an HTTP request, a server can send one or more The
This instructs the server sending headers to tell the client to store a pair of cookies:
Then, with every subsequent request to the server, the browser sends all previously stored cookies back to the server using the
Define the lifetime of a cookieThe lifetime of a cookie can be defined in two ways:
For example:
Note:
When you set an If your site authenticates users, it should regenerate and resend session cookies, even ones that already exist, whenever a user authenticates. This approach helps prevent session fixation attacks, where a third party can reuse a user's session. Restrict access to cookiesYou can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the A cookie with the
A cookie with the Here's an example:
Define where cookies are sentThe Domain attributeThe For example, if you set Path attribute The For example, if you set
But these request paths don't:
SameSite attribute The With Here's an example:
Note: The standard related to
Cookie prefixesBecause of the design of the cookie mechanism, a server can't confirm that a cookie was set from a secure origin or even tell where a cookie was originally set. A vulnerable application on a subdomain can set a cookie with the As a defense-in-depth measure, however, you can use cookie prefixes to assert specific facts about the cookie. Two prefixes are available: __Host- If a cookie name has this
prefix, it's accepted in a __Secure- If a cookie name has this prefix, it's accepted in a
The browser will reject cookies with these prefixes that don't comply with their restrictions. Note that this ensures that subdomain-created cookies with prefixes are either confined to the subdomain or ignored completely. As the application server only checks for a specific cookie name when determining if the user is authenticated or a CSRF token is correct, this effectively acts as a defense measure against session fixation. Note: On the application server, the web application must check for the full cookie name including the prefix. User agents do not strip the prefix from the cookie before sending it in a request's
For more information about cookie prefixes and the current state of browser support, see the Prefixes section of the Set-Cookie reference article. JavaScript access using Document.cookieYou can create new
cookies via JavaScript using the
Cookies created via JavaScript can't include the Please note the security issues in the Security section below. Cookies available to JavaScript can be stolen through XSS. SecurityNote: When you store information in cookies, keep in mind that all cookie values are visible to, and can be changed by, the end user. Depending on the application, you may want to use an opaque identifier that the server looks up, or investigate alternative authentication/confidentiality mechanisms such as JSON Web Tokens. Ways to mitigate attacks involving cookies:
Tracking and privacyThird-party cookies A cookie is associated with a particular domain and scheme (such as If the domain and scheme are different, the cookie is not considered to be from the same site, and is referred to as a third-party cookie. While the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners) that may set third-party cookies. These are mainly used for advertising and tracking across the web. For example, the types of cookies used by Google. A third-party server can create a profile of a user's browsing history and habits based on cookies sent to it by the same browser when accessing multiple sites. Firefox, by default, blocks third-party cookies that are known to contain trackers. Third-party cookies (or just tracking cookies) may also be blocked by other browser settings or extensions. Cookie blocking can cause some third-party components (such as social media widgets) not to function as intended. Note: Servers can (and should) set the cookie SameSite attribute to specify whether or not cookies may be sent to third party sites. Legislation or regulations that cover the use of cookies include:
These regulations have global reach. They apply to any site on the World Wide Web that users from these jurisdictions access (the EU and California, with the caveat that California's law applies only to entities with gross revenue over 25 million USD, among things). These regulations include requirements such as:
There may be other regulations that govern the use of cookies in your locality. The burden is on you to know and comply with these regulations. There are companies that offer "cookie banner" code that helps you comply with these regulations. Other ways to store information in the browserAnother approach to storing data in the browser is the Web Storage API. The window.sessionStorage and window.localStorage properties correspond to session and permanent cookies in duration, but have larger storage limits than cookies, and are never sent to a server. More structured and larger amounts of data can be stored using the IndexedDB API, or a library built on it. There are some techniques designed to recreate cookies after they're deleted. These are known as "zombie" cookies. These techniques violate the principles of user privacy and user control, may violate data privacy regulations, and could expose a website using them to legal liability. See alsoHow many types of cookies are there in PHP?There are two types of cookies, they are: Session Cookie: This type of cookies are temporary and are expire as soon as the session ends or the browser is closed. Persistent Cookie: To make a cookie persistent we must provide it with an expiration time.
What are cookies in PHP?A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser, it will send the cookie too. With PHP, you can both create and retrieve cookie values.
How do you create a cookie in PHP?A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser, it will send the cookie too. With PHP, you can both create and retrieve cookie values.
How are cookies stored in PHP?Cookies are always stored in the client. The path only sets restrictions to what remote pages can access said cookies. For example, if you set a cookie with the path "/foo/" then only pages in the directory "/foo/" and subdirectories of "/foo/" can read the cookie.
|