3

Is it OK to send cookie headers directly with header() calls?

I am tinkering with http cookie mechanism in PHP and would like (at least initially) to try the "raw" thing :)

The Brad Christie's answer to "php-how-to-stringify-array-and-store-in-cookie" assumes it is, but is there a somehow official source on the topic (or is it at least a well-known practice)?

Thanks in advance for clarifying the topic.

[EDIT: AN IMPORTANT NOTICE]

An interesting thing I have discovered is that calling header('Set-Cookie: ...'); effectively prevents any cookies previously supplied with setcookie('...'); from being sent, at least on my machine (PHP 5.3.5, Apache 2.2.17, WinXP SP2). Whether this is a feature / bug(?) or a consequence of PHP semantics/rules violation, I don't know.

Analyzing PHP .c sources will possibly bring an answer (one should posibly look into head.c (header(), setcookie(), etc) and mod_php5.c (Apache module) files for that).

Community
  • 1
  • 1
mlvljr
  • 4,066
  • 8
  • 44
  • 61
  • 1
    It probably goes against German laws. – Álvaro González Mar 31 '11 at 12:04
  • @Álvaro G. Vicario How so? Too strict? – mlvljr Mar 31 '11 at 12:05
  • Side question: is there a real cookie spec at last? – Álvaro González Mar 31 '11 at 12:05
  • @Alvaro I would say RFC 2965 is the "spec" -- http://www.ietf.org/rfc/rfc2965.txt – Pascal MARTIN Mar 31 '11 at 12:06
  • 1
    @mlvljr The [manual](http://www.php.net/manual/en/function.header.php) says that by default, a call to this function will replace any previous header with the same name. This might be the reason why it overrides any previous value set with `setcookie()`. Have you tried with `header('Set-Cookie: ...', false);`? – BenMorel Jul 02 '14 at 11:40
  • @Benjamin May be (but more probably, not), can't remember for sure; I do remember being pissed off by PHP behaving in a surprizingly unintuitive manner, but may be I just got unlucky, indeed. – mlvljr Jul 02 '14 at 16:41

4 Answers4

4

Considering cookies are just HTTP headers, you can, of course, send them using the header() function.

But this is re-inventing the wheel (and you'll have to deal with all possibilities yourself), as PHP provides the setcookie() function.

Still, if you want to learn how cookies work, why not ?
This can be interesting ;-)

Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
  • So, the practice is totally OK -- no extra processing by PHP, etc? (I just remember that sending a response header is recognized as such and processed in a special (appropriate) way) – mlvljr Mar 31 '11 at 12:04
  • 2
    Using `header()` to set up cookies in a real application doesn't look like a good idea, considering there is `setcookie()` ; but, as a learning exercice, yes, it's totally OK to re-invent the wheel ;-) – Pascal MARTIN Mar 31 '11 at 12:05
2

PHP won't care either way. Setting a cookie just means sending the header. There's nothing else involved from PHP's site (unless you're talking about sessions, but apparently you aren't). You can send any raw header you want, PHP won't care. If you send the correct header and the client returns the cookie on the next request, PHP will parse it correctly into the $_COOKIE array. And that's all there is to it.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • is it documented somewhere (yes, i'm almost sure it isn't but anyway)? or i should just look at the PHP sources to get (final) confidence? – mlvljr Mar 31 '11 at 12:07
  • 1
    @mlv [The manual](http://php.net/manual/en/function.header.php) says there are two special cases for header: `Location:` and `HTTP/` headers. All other headers are just output as given without side effects. I'm afraid this kind of negative confirmation is the best you'll find. ;-) – deceze Mar 31 '11 at 12:10
1

It's definitely ok. There is no difference between proper cookies sent with raw headers and ones sent via set_cookie().

code_burgar
  • 12,025
  • 4
  • 35
  • 53
0

IT IS NOT

Please see the "edit" part of the question.

mlvljr
  • 4,066
  • 8
  • 44
  • 61