0
0
PHPprogramming~10 mins

Cookie expiration and security in PHP - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Cookie expiration and security
Start script
Set cookie with name, value
Set expiration time
Set security flags (Secure, HttpOnly, SameSite)
Send cookie to browser
Browser stores cookie
Cookie expires after set time or deleted if expired
End script
This flow shows how a PHP script sets a cookie with expiration and security flags, sends it to the browser, which stores it until it expires.
Execution Sample
PHP
<?php
setcookie("user", "Alice", time() + 3600, "/", "", true, true);
?>
Sets a cookie named 'user' with value 'Alice' that expires in 1 hour, is secure and HttpOnly.
Execution Table
StepActionParameter/ValueEffect
1Call setcookiename = 'user'Prepare cookie named 'user'
2Call setcookievalue = 'Alice'Set cookie value to 'Alice'
3Call setcookieexpire = current time + 3600Cookie expires in 1 hour
4Call setcookiepath = '/'Cookie valid for entire domain
5Call setcookiedomain = '' (default)Cookie valid for current domain
6Call setcookiesecure = trueCookie sent only over HTTPS
7Call setcookiehttponly = trueCookie inaccessible to JavaScript
8Send cookie headerSet-Cookie: user=Alice; expires=...; path=/; Secure; HttpOnlyBrowser receives cookie
9Browser stores cookieExpires in 1 hourCookie saved until expiration
10After 1 hourCookie expiresBrowser deletes cookie
11End-Script ends
💡 Cookie expires after 1 hour, browser deletes it automatically
Variable Tracker
VariableStartAfter setcookie callAfter sending headerAfter expiration
name-useruser-
value-AliceAlice-
expire-time()+3600time()+3600expired
path-//-
domain-'' (default)'' (default)-
secure-truetrue-
httponly-truetrue-
Key Moments - 3 Insights
Why do we add time() + 3600 for expiration?
Because time() returns current time in seconds, adding 3600 sets expiration 1 hour later (see execution_table step 3).
What does setting 'secure' to true do?
It ensures the cookie is sent only over HTTPS connections, protecting it from being sent over insecure HTTP (see execution_table step 6).
Why use 'httponly' flag?
It prevents JavaScript from accessing the cookie, reducing risk of cross-site scripting attacks (see execution_table step 7).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the expiration time set to at step 3?
ACurrent time minus 3600 seconds
BNo expiration time set
CCurrent time plus 3600 seconds
DCurrent time plus 60 seconds
💡 Hint
Check the 'expire' parameter in execution_table row 3
At which step does the cookie become inaccessible to JavaScript?
AStep 7
BStep 6
CStep 4
DStep 9
💡 Hint
Look for 'httponly' flag in execution_table
If 'secure' was set to false, what would change in the execution_table?
AStep 6 would say 'Cookie sent only over HTTPS'
BStep 6 would say 'Cookie sent over HTTP and HTTPS'
CStep 7 would be skipped
DCookie would expire immediately
💡 Hint
Check the meaning of 'secure' flag in execution_table step 6
Concept Snapshot
PHP setcookie() sets a cookie with name, value, expiration time (seconds since epoch).
Expiration is set by adding seconds to current time (time()+seconds).
Secure flag ensures cookie sent only over HTTPS.
HttpOnly flag blocks JavaScript access.
Path and domain control cookie scope.
Browser deletes cookie after expiration automatically.
Full Transcript
This visual execution trace shows how PHP sets a cookie with expiration and security flags. The script calls setcookie with parameters: name 'user', value 'Alice', expiration time set to current time plus 3600 seconds (1 hour), path '/', secure flag true, and httponly flag true. Each step sets part of the cookie data. The browser receives the cookie header and stores the cookie. After 1 hour, the cookie expires and the browser deletes it automatically. The secure flag ensures the cookie is sent only over HTTPS, and httponly prevents JavaScript access, improving security. Variables like name, value, expire, secure, and httponly change as the script runs. Key moments clarify why expiration uses time()+3600, and why secure and httponly flags matter. The quiz tests understanding of expiration time, when httponly applies, and effects of changing secure flag.