Set a cookie to never expire

Question

Looking at the php documentation on setting a cookie I see that I can set an expiration date for the cookie. You can set the cookie to expire at the end of the browser session or at some time in the future but I do not see a way to set the cookie to never expire. Is this even possible and how is this accomplished?

Because that is not possible anyway as per the cookie specification. It can not be set to never expire. — Sarfraz, Jul 20 '10 at 14:23
You may use `$cookie->setMaxAge(2147483647);`, which is later than 2080 and works on both 32-bit and 64-bit, with https://github.com/delight-im/PHP-Cookie — caw, Jul 12 '16 at 23:39

score 310 · Accepted Answer · edited Jul 20 '23 at 15:55

310

All cookies expire as per the cookie specification, so this is not a PHP limitation.

Use a far future date. For example, set a cookie that expires in ten years:

setcookie(
  "CookieName",
  "CookieValue",
  time() + (10 * 365 * 24 * 60 * 60)
);

Note that if you set a date past 2038 in 32-bit PHP, the number will wrap around and you'll get a cookie that expires instantly.

Edit: As in 2023, obeying the max depends on the web browsers. As of Chrome release M104 (August 2022) cookies can no longer set an expiration date of more than 400 days in the future.

edited Jul 20 '23 at 15:55

ankitjaininfo

11,961
7
52
75

answered Jul 20 '10 at 13:35

Joeri Hendrickx

16,947
4
41
53

8

Agreed! And I think, that in 20 years, websites will be far ahead, that possibly no cookies will be used.. @brainimus: Just use the oldschool system everyone mentioned - current time + time in far future! – tomsseisums Jul 20 '10 at 13:38
16

Beware that when 2018 comes around, if we're not using 64-bit PHP, that this will wrap around the 32-bit integer and get sent to the client as a time near zero. (This is happening right now for 25-year cookies on PHP.) – Riking Apr 11 '13 at 22:28
A bit short, I think. Could also just set the max date, but then you'd have to make sure you're not running the app anymore by then. – Joeri Hendrickx Apr 15 '13 at 07:45
1

Well 10 years is not a long time ;-) See David's answer. – PJ Brunet May 08 '13 at 09:32
116

Will be funny to come back to these comments in 2018 (just 5 years away now) and see as everyone scramble to implement the Y2018 upgrade then again 20 years later in 2038. Hopefully we all make the jump to 64-bit everything by then this won't be a problem for another 292 billion years on Sunday, 4 December 292,277,026,596. Unless we reach a singularity before I die I don't think I'll have to worry about that one. – shaunhusain Oct 20 '13 at 00:48
74

If a person is using the same computer at the end of 2037 that they are using now... that would just be sad! – Abela Oct 20 '13 at 02:50
3

You could always set the expiration time directly with a raw HTTP header: `header('Set-Cookie: cookie_name=cookie_value; expires=Fri, 31-Dec-9999 23:59:59 GMT');`. Unless the PHP devs decides to finally make `setcookie` utilize 64-bit integers for the timestamp value (64-bit POSIX timestamps can be generated with e.g. `date_create('+1000 years')->format('U')`, even on 32-bit PHP), it might be up to ourselves to write custom setcookie functions in our applications.. – user966939 Jun 08 '15 at 03:11
1

You can make it infinite by giving them a new cookie on their next visit – Andrew Aug 19 '15 at 20:01
@Andrew But what if they come back after 10 years? – Jez Aug 07 '16 at 11:44
2

@shaunhusain Hello from the future. Just one more year to 2018... I think most people use 64 bit php now.... – Tschallacka Jan 06 '17 at 10:03
2

@Tschallacka thanks for the update, yeah I think really most developers back then were working with 64 bit hardware but not sure what the actual OS and packages were that were most widely distributed (or current stats for that matter) but seems like disaster averted..... for now (honestly somewhat surprising how well PHP has managed to survive and evolve to this point). – shaunhusain Jan 09 '17 at 08:31
Why? What's with 2038? – Jimwel Anobong May 09 '17 at 18:20
`Expires=Tue, 19 Jan 2038 03:14:07 GMT` – worsnupd Aug 09 '17 at 01:12
40

I'm reading this in 2018, panicked for a moment, then realized I was ok. – The Interloper Jan 24 '18 at 20:54
11

Tomorrow it's gonna be 2019 and I'm implementing cookies on my website rather than eating some during the celebrations. – Ömer An Dec 31 '18 at 04:02
28

Hello fellow time-travelers, I'm speaking to you from far into 2019. Our planet has changed a lot. We're seeking for places among the universe to save our species. In the meanwhile we still use cookies. – Tim van Uum Aug 23 '19 at 07:29
1

Any updates on whether this caused some headaches for people in 2018? ;) – sudoExclaimationExclaimation Jan 27 '21 at 11:24
Speaking from Late 2021, the flow of time is still.... well.. flowing. – Richard Aug 02 '21 at 00:43
3

Reading this from my neuralink in 2947. We still use cookies, but they're now called numnums. – Jiminy Cricket Aug 20 '21 at 03:32
Lol like people will still even be using cookies in 2018... – Albert Renshaw Nov 04 '21 at 22:15
3

i am from 2022 and the world still using cookie ;) – yasir shah Mar 01 '22 at 04:33

score 115 · Answer 2 · answered Mar 18 '14 at 12:30

Maximum value: 2147483647

setcookie("CookieName", "CookieValue", 2147483647);

To avoid integer overflow the timestamp should be set to:

2^31 - 1 = 2147483647 = 2038-01-19 04:14:07

Setting a higher value might cause problems with older browsers.

Also see the RFC about cookies:

Max-Age=value
  OPTIONAL.  The value of the Max-Age attribute is delta-seconds,
  the lifetime of the cookie in seconds, a decimal non-negative
  integer.  To handle cached cookies correctly, a client SHOULD
  calculate the age of the cookie according to the age calculation
  rules in the HTTP/1.1 specification [RFC2616].  When the age is
  greater than delta-seconds seconds, the client SHOULD discard the
  cookie.  A value of zero means the cookie SHOULD be discarded
  immediately.

and RFC 2616, 14.6 Age:

If a cache receives a value larger than the largest positive integer it can represent, or if any of its age calculations overflows, it MUST transmit an Age header with a value of 2147483648 (2^31).

http://www.faqs.org/rfcs/rfc2616.html

Very thorough! Thank you for the good references. – kevinarpe Aug 25 '21 at 14:05 — kevinarpe, Aug 25 '21 at 14:05

score 44 · Answer 3 · edited Sep 06 '18 at 20:00

44

Set a far future absolute time:

setcookie("CookieName", "CookieValue", 2147483647);

It is better to use an absolute time than calculating it relative to the present as recommended in the accepted answer.

The maximum value compatible with 32 bits systems is:

2147483647 = 2^31 = ~year 2038

edited Sep 06 '18 at 20:00

HoldOffHunger

18,769
10
104
133

answered Jul 27 '12 at 09:45

David

2,942
33
16

25

2 billions is easy to remember but the ideal number for $forever would be 2^31 - 1 = 2147483647 corresponding to January 2038. It is the maximum value to avoid the integer overflow of the 2038 bug as @John said. – David Jul 27 '12 at 10:03
Looking back in 2023, is there a site to check the market share (the real usage) of 32-bit hardwares? Since, 2038 is approaching, and even IE is deprecating! I now kinda double if anyone would still use such old computer or new IoT device (which usually are 32-bit) to surf the web. But I know many labs and hospitals still have old PCs connected to internet, though user are warned to not use the network-related func – jimmymcheung Mar 04 '23 at 14:10

score 16 · Answer 4 · answered Jun 26 '12 at 18:44

My privilege prevents me making my comment on the first post so it will have to go here.

Consideration should be taken into account of 2038 unix bug when setting 20 years in advance from the current date which is suggest as the correct answer above.

Your cookie on January 19, 2018 + (20 years) could well hit 2038 problem depending on the browser and or versions you end up running on.

score 6 · Answer 5 · edited Apr 10 '16 at 18:32

6

Can't you just say a never ending loop, cookie expires as current date + 1 so it never hits the date it's supposed to expire on because it's always tomorrow? A bit overkill but just saying.

edited Apr 10 '16 at 18:32

xiº

4,605
3
28
39

answered Aug 28 '12 at 23:10

Jesus

69
1
1

1

Actually, he has a point. Just using some suitable 'inactivity period' of, say, 3 months and then refreshing the cookie with that period on each request does make some sense. – Stijn de Witt Sep 11 '14 at 20:09
@StijndeWitt Or just 10 years. Then update it if the user visits within 10 years... – Jez Aug 07 '16 at 11:47

JCollier · Answer 6 · 2022-10-26T02:23:42.200

6

As of whenever the link here was posted, Chrome cookies can, at max, live as long as 400 days. Chrome is a big deal at the time of this response, so I would make a cookie's expiration be in 400 days or less.

If you don't want to click on the link, it says, in summary:

When cookies are set with an explicit Expires/Max-Age attribute the value will now be capped to no more than 400 days in the future. Previously, there was no limit and cookies could expire as much as multiple millennia in the future.

edited Oct 26 '22 at 02:23

answered Sep 30 '22 at 21:07

JCollier

1,102
2
19
31

1

Yeah, as of late 2022 the best answer to this question has basically changed to "just set it to 400 days" if you want it to last as long as possible. Although there is no harm in setting it longer as the browser will just reduce it to this anyway. But also, it's more important to address the issue of refreshing cookies now too, as having everyone auto logged out after just over a year even when they are constantly using a website is not a desired behaviour! – Snor Jan 11 '23 at 10:57

score 5 · Answer 7 · answered Jul 20 '10 at 13:41

5

While that isn't exactly possible you could do something similar to what Google does and set your cookie to expire Jan 17, 2038 or something equally far off.

In all practicality you might be better off setting your cookie for 10 years or 60*60*24*365*10, which should outlive most of the machines your cookie will live on.

answered Jul 20 '10 at 13:41

h3r2on

379
1
3
12

2

That will work until early 2028, at which point you'll overflow the value and the cookies will stop working. Better to use an absolute value instead. – davidjbullock May 31 '14 at 17:54
1

Assuming his code will still be running on outdated machines in 2028... Somehow I am more worried that everyone will forget to update the fixed date... Software tends to outlive hardware. – Stijn de Witt Sep 11 '14 at 20:07

score 4 · Answer 8 · edited Nov 14 '12 at 09:55

4

If you want to persist data on the client machine permanently -or at least until browser cache is emptied completely, use Javascript local storage:

https://developer.mozilla.org/en-US/docs/DOM/Storage#localStorage

Do not use session storage, as it will be cleared just like a cookie with a maximum age of Zero.

edited Nov 14 '12 at 09:55

j0k

22,600
28
79
90

answered Nov 14 '12 at 09:37

Björn

57
1
1

Cant consider localStorage when it comes to reading server-side data. – WhiteHorse Apr 03 '20 at 10:55

Pedro Lobito · Answer 9 · 2020-05-22T11:45:53.237

2

Never and forever are two words that I avoid using due to the unpredictability of life.

The latest time since 1 January 1970 that can be stored using a signed 32-bit integer is 03:14:07 on Tuesday, 19 January 2038 (231-1 = 2,147,483,647 seconds after 1 January 1970). This limitation is known as the Year 2038 problem

setCookie("name", "value", strtotime("2038-01-19 03:14:07"));

edited May 22 '20 at 11:45

answered May 03 '20 at 22:50

Pedro Lobito

94,083
31
258
268

score 1 · Answer 10 · edited Oct 02 '21 at 05:43

1

You can set a far date from the date, the cookie is created like this:

var Cookie_expiry = new Date();
Cookie_expiry.setDate(Cookie_expiry.getDate()+10e5);   
// expiry date of cookie is set to be practically infinite (~ 4000 years)
setCookie('token', 'token_value', {expires: Cookie_expiry});

edited Oct 02 '21 at 05:43

Pierre.Vriens

2,117
75
29
42

answered Oct 02 '21 at 04:27

AYUSH JAIN

11
1

score 0 · Answer 11 · answered Jul 20 '10 at 13:32

0

I believe that there isn't a way to make a cookie last forever, but you just need to set it to expire far into the future, such as the year 2100.

answered Jul 20 '10 at 13:32

Joel Kennedy

1,581
5
19
41

Sarfraz · Answer 12 · 2010-07-20T13:44:02.887

0

You shouldn't do that and that's not possible anyway, If you want you can set a greater value such as 10 years ahead.

By the way, I have never seen a cookie with such requirement :)

edited Jul 20 '10 at 13:44

answered Jul 20 '10 at 13:34

Sarfraz

377,238
77
533
578

I would assume cookies for uniquely answered polls that don't want to bother too much with preventing multiple entries have this requirement. – Random Elephant Dec 02 '19 at 21:29
look @sarfraz its the computer cookie not the ones you eat. – webs Feb 29 '20 at 23:15

score -1 · Answer 13 · answered Oct 20 '11 at 19:00

-1

I'm not sure but aren't cookies deleted at browser close? I somehow did a never expiring cookie and chrome recognized expired date as "at browser close" ...

answered Oct 20 '11 at 19:00

paulgavrikov

1,883
3
29
51

8

Not necessarily, if you set an expiration date on the cookie, it will survive after you close your browser and re-open it. If you do not set an expiration, the default behavior will be to be deleted when you close your browser. – HoLyVieR Oct 20 '11 at 23:24

score -2 · Answer 14 · answered Jul 20 '10 at 13:32

-2

You can't but what if you set expire time to now + 100 years ?

answered Jul 20 '10 at 13:32

Boris Delormas

2,509
1
19
27

3

No, because that would exceed the maximum value in January 2038. – davidjbullock May 31 '14 at 17:52

Set a cookie to never expire

14 Answers14

Linked

Related