🍪 PHP Cookies – Store and Retrieve User Data in the Browser

Learn how to use cookies in PHP to persist data on the client side, manage user preferences, and build personalized web experiences.

🧲 Introduction – Why Cookies Matter in PHP

Cookies are small pieces of data stored on the user’s browser. They are used to remember users, store preferences, or track session-like data across multiple visits. In PHP, cookies provide a simple mechanism to persist information without server-side storage.

🎯 In this guide, you’ll learn:

• How to create, read, and delete cookies in PHP
• Use cases for cookie-based persistence
• Cookie lifetime and scope control
• Best practices for cookie security

🍪 PHP Cookies

setcookie("user", "Alice", time() + 3600); // Expires in 1 hour
echo $_COOKIE['user'];

➡️ Cookies store data on the client
➡️ Used for preferences, login persistence, themes, or temporary flags

✅ Setting a Cookie in PHP

setcookie("theme", "dark", time() + (86400 * 7), "/");

• "theme" = cookie name
• "dark" = cookie value
• time() + (86400 * 7) = expires in 7 days
• "/" = available across the entire domain

⚠️ Must be called before any HTML output.

📥 Reading Cookies in PHP

if (isset($_COOKIE['theme'])) {
    echo "Your theme is: " . $_COOKIE['theme'];
}

✅ Check with isset() before using
✅ Always sanitize output to prevent XSS

❌ Deleting Cookies

setcookie("theme", "", time() - 3600);

➡️ Set the expiration date in the past to remove the cookie

🔐 Securing Cookies

🔹 Secure Parameters in setcookie()

setcookie("auth_token", "xyz123", [
  'expires' => time() + 3600,
  'path' => '/',
  'secure' => true,      // HTTPS only
  'httponly' => true,    // JavaScript can't access
  'samesite' => 'Strict' // Prevent CSRF
]);

✅ Use these for sensitive data like auth tokens
✅ Requires PHP 7.3+

🧪 Practical Use Cases

• Remember username or theme across visits
• Track landing page referral
• Store temporary state (e.g., cart ID, flags)
• Control promotional popups or messages

📌 Summary – Recap & Next Steps

Cookies are a client-side tool for persisting small pieces of data across browser sessions. They’re ideal for personalizing user experiences and reducing redundant server-side lookups. Always secure cookies that store sensitive information.

🔍 Key Takeaways:

• Use setcookie() to store data in the browser
• Cookies must be set before any output
• Use $_COOKIE to retrieve values
• Delete cookies by setting a past expiration time
• Secure sensitive cookies using httponly, secure, and samesite

⚙️ Real-World Use Cases:
Remembering preferences, tracking visits, auto-filling login data, user experience personalization

❓ Frequently Asked Questions (FAQs)

❓ What is the size limit of a PHP cookie?
✅ Around 4 KB per cookie; varies slightly by browser.

❓ Can users delete or modify cookies?
✅ Yes. Cookies are stored in the browser and can be deleted or edited by the user at any time.

❓ Why is my cookie not being set in PHP?
✅ Cookies must be set before any output (even whitespace). Use setcookie() before echo or HTML.

❓ Is it safe to store login information in a cookie?
⚠️ Only store non-sensitive identifiers. Use tokens with httponly and secure flags for authentication systems.

❓ What’s the difference between cookies and sessions?
✅ Cookies are stored on the client, sessions are stored on the server and referenced via a cookie.