Cookies

Cookies done right: HttpOnly, Secure, SameSite, and practical rules.

On this page

What Cookies Are

Cookies are small pieces of data stored in the browser and sent with each request. They are commonly used for sessions, preferences, and remember-me tokens.

Setting a Cookie

Always configure security flags when setting cookies.

<?php
setcookie(
  "theme",
  "dark",
  [
    "expires" => time() + 3600,
    "path" => "/",
    "secure" => true,
    "httponly" => true,
    "samesite" => "Lax",
  ]
);

Reading a Cookie

<?php
$theme = $_COOKIE["theme"] ?? "light";

Deleting a Cookie

<?php
setcookie("theme", "", time() - 3600, "/");

Security Flags Explained

Secure: only over HTTPS. HttpOnly: not accessible via JavaScript. SameSite: reduces CSRF risks.

Production Tip

Never store raw passwords or sensitive data in cookies. Use tokens referencing server-side data.

← Sessions

Password Hashing →