0
0
PhpHow-ToBeginner · 4 min read

How to Use Secure Cookie in PHP: Simple Guide

To use a secure cookie in PHP, set the secure flag to true in the setcookie() function. This ensures the cookie is only sent over HTTPS connections, protecting it from being sent over insecure HTTP.
📐

Syntax

The setcookie() function in PHP is used to create cookies. To make a cookie secure, you add the secure option as true in the options array. This tells the browser to send the cookie only over HTTPS.

Here is the syntax:

  • name: The name of the cookie.
  • value: The value stored in the cookie.
  • expires: When the cookie expires (timestamp).
  • path: The path on the server where the cookie is available.
  • domain: The domain that can access the cookie.
  • secure: Set to true to send cookie only over HTTPS.
  • httponly: Set to true to make cookie inaccessible to JavaScript.
php
setcookie(string $name, string $value = "", array $options = []): bool;

// Example with secure flag
setcookie("user", "John", [
    "expires" => time() + 3600,
    "path" => "/",
    "secure" => true,
    "httponly" => true
]);
💻

Example

This example shows how to set a secure cookie named session_id that expires in 1 hour. The cookie will only be sent over HTTPS and will not be accessible via JavaScript.

php
<?php
// Set a secure cookie
setcookie("session_id", "abc123", [
    "expires" => time() + 3600, // 1 hour from now
    "path" => "/",
    "secure" => true, // cookie sent only over HTTPS
    "httponly" => true // inaccessible to JavaScript
]);

// Confirm cookie set
if (isset($_COOKIE["session_id"])) {
    echo "Secure cookie is set: " . $_COOKIE["session_id"];
} else {
    echo "Secure cookie is not set yet.";
}
?>
Output
Secure cookie is not set yet.
⚠️

Common Pitfalls

Common mistakes when using secure cookies include:

  • Setting secure to true on a site without HTTPS, so the cookie never gets sent.
  • Not setting httponly, which can expose cookies to JavaScript attacks.
  • Forgetting to set the path or domain correctly, causing the cookie to be unavailable where needed.

Always ensure your site uses HTTPS before enabling the secure flag.

php
<?php
// Wrong: secure cookie on HTTP site (cookie won't be sent)
setcookie("user", "Alice", ["secure" => true]);

// Right: secure cookie on HTTPS site
setcookie("user", "Alice", [
    "secure" => true,
    "httponly" => true
]);
📊

Quick Reference

Tips for using secure cookies in PHP:

  • Use secure => true to send cookies only over HTTPS.
  • Use httponly => true to block JavaScript access.
  • Set expires to control cookie lifetime.
  • Set path and domain to limit cookie scope.
  • Always test cookies on a live HTTPS server.

Key Takeaways

Set the 'secure' option to true in setcookie() to send cookies only over HTTPS.
Use 'httponly' to prevent JavaScript access to cookies for better security.
Ensure your website uses HTTPS before enabling secure cookies.
Configure cookie path, domain, and expiration to control cookie scope and lifetime.
Test cookie behavior on a live HTTPS environment to confirm proper settings.

Related by keyword

How to Install PHP on Mac: Simple Step-by-Step GuideGetting StartedHow to Run PHP from Command Line: Simple GuideGetting StartedHow to Check Data Type in PHP: Simple GuideVariables and Data TypesHow to Take Input in PHP: Simple Guide with ExamplesVariables and Data TypesHow to Use Arithmetic Operators in PHP: Simple GuideOperators

Up next

Session vs Cookie in PHP: Key Differences and When to Use EachWhat is Session in PHP: Explanation and ExampleHow to Connect to MySQL in PHP: Simple GuideHow to Count Rows in PHP: Simple Methods Explained

More in Cookies

How to Check if Cookie is Set in PHP: Simple GuideHow to Delete Cookie in PHP: Simple Guide with ExamplesHow to Get Cookie in PHP: Simple Guide with ExamplesHow to Set Cookie Expiration in PHP: Simple Guide