Enter your Sign on user name and password.

Forgot password?
Sign In | Subscribe
Start learning today, and be successful in your academic & professional career. Start Today!
Loading video...
This is a quick preview of the lesson. For full access, please Log In or Sign up.
For more information, please see full course syllabus of Advanced PHP
  • Discussion

  • Study Guides

  • Download Lecture Slides

  • Table of Contents

  • Transcription

  • Related Services

Start Learning Now

Our free lessons will get you started (Adobe Flash® required).
Get immediate access to our entire library.

Sign up for Educator.com

Membership Overview

  • Unlimited access to our entire library of courses.
  • Search and jump to exactly what you want to learn.
  • *Ask questions and get answers from the community and our teachers!
  • Practice questions with step-by-step solutions.
  • Download lesson files for programming and software training practice.
  • Track your course viewing progress.
  • Download lecture slides for taking notes.
  • Learn at your own pace... anytime, anywhere!


  • A cookie is a piece of information set by an HTTP server and sent to a web client within an HTTP response for storage by the client.
  • Cookies are associated with a particular website, and each time a client requests a page from a website for which it has received & stored a cookie, it includes the corresponding cookie’s data within its HTTP request.
  • HTTP is a stateless protocol meaning that each HTTP transaction between a client & server has no ‘memory’ of any previous transactions.
  • The purpose of cookies is to allow state, or knowledge of previous events, to be introduced into HTTP transactions.
  • The way a web server sends a cookie to a client is via the Set-Cookie header of an HTTP response:
    HTTP/1.1 200 OK
    Date: Wed, 3 Aug 2011 23:59:59 GMT
    Content-Type: text/html
    Set-Cookie: cookie=cookieValue
    Host: www.educator.com
  • Cookie data is in the form of name-value pairs.
  • Each time a client requests a page from a website for which it has a cookie, it sends the cookie’s information back to the server using the Cookie HTTP request header:
    GET /index.html HTTP/1.1
    Host: www.educator.com
    Cookie: cookie=cookieValue
  • setcookie() is a built-in PHP function that allows a script to send a cookie to a web client. It must be called before any of a script’s output is generated.
  • Cookies have several attributes that can be set which determine whether a client sends a particular cookie in its request for a page from a particular website:
    • domain – specifies the domain which a cookie applies to
    • path – specifies a particular path within a domain that the cookie applies to
    • expires – the data & time when a cookie is no longer valid
  • $_COOKIE is a superglobal associative array containing any cookie name/value pairs sent by a client in its request for a PHP script.
  • Additional Resources:


Lecture Slides are screen-captured images of important points in the lecture. Students can download and print out these lecture slide images to do practice problems as well as take notes while watching the lecture.

  • Intro 0:00
  • Lesson Overview 0:09
    • Lesson Overview
  • What is a Cookie? 1:15
    • Definition of Cookie
  • HTTP - A Stateless Protocol 2:17
    • HTTP - A Stateless Protocol
    • Purpose of Cookies
  • Set - Cookie Header 6:21
    • Introduction to Set - Cookie Header
    • Coding Example: Set - Cookie Header
  • Cookie Header 9:45
    • Introduction to Cookie Header
    • Example: Cookie Header
  • setcookie() 12:33
    • Introduction to setcookie()
    • Example: Using setcookie
  • Cookies Attributes 15:48
    • Cookies Attributes Overview
    • Common Cookies Attributes: Domain
    • Common Cookies Attributes: Path
    • Common Cookies Attributes: Expires
    • Coding Example: Setting Cookie Attributes
  • $_COOKIE Superglobal 27:03
    • $_COOKIE Superglobal
    • Coding Example: Accessing Cookies from PHP Using $_COOKIE
  • Security Implications 34:44
    • Security Implications
  • Homework Challenge 36:10
    • Homework Challenge: 1 - 4
  • Homework Challenge (cont.) 37:47
    • Homework Challenge: 5 - 7

Transcription: Cookies

Hello again, and welcome back to Educator.com's Advanced PHP with MySQL course.0000

In today's lesson, we are going to be covering the topic of cookies.0005

Specifically, we are going to be going over what a cookie is.0010

It may be something you are familiar with, or maybe it's a term that you have heard thrown around in the web development world.0014

We are going to talk a little bit about HTTP and how it is known as a stateless protocol, and how cookies can change that.0021

We are going to talk about a couple of HTTP headers.0031

We are going to talk about the Set-Cookie header, which is an HTTP response header.0035

And we are going to talk about the Cookie header, which is an HTTP request header.0039

We are also going to talk about a function built into PHP for what is known as setting cookies.0044

We are going to talk about different attributes that cookies can have.0055

We are going to talk about (after we learn about what cookies are) how to access cookie data within your file using the COOKIE superglobal variable.0058

And then, we are going to briefly talk about security implications as they relate to cookies.0069

What exactly is a cookie? Well, it is a piece of information or data that is set by an HTTP server,0077

and it gets sent back to a web client within an HTTP response for storage by the client.0086

For example (and it is done in name/value pairs), a server might want to set a cookie that says the user ID equals 1001.0092

Well, it will create that cookie, and then what it will do is: using an HTTP response header,0103

it will send that cookie back to the client, and the client is going to store that on its local machine.0109

Cookies are associated with a particular website, and what happens is: every time a client goes to request a page from a particular website,0115

it checks to see if it has a cookie stored that is associated with that website.0123

If it does, it goes ahead and, in its HTTP request, sends the information contained in that cookie to the web server.0128

Before we go into the details about how the cookies work, I just want to talk quickly about HTTP and what is known as a stateless protocol.0139

What that means is that, for each HTTP request and response, no state is preserved,0148

which means there is no memory between one request and another.0155

For example, when you go to a website, and you request a page...0158

for example, let's say this was your HTTP request, and then your server would respond with something like this,0162

with HTML as part of the body; when you do that request--let's say you do that multiple times--0171

each time you do that, the HTTP server has no idea that those are linked from the same computer.0179

It can know that it is from the same computer, but it doesn't store any information about each of the different requests.0187

For example, let's say that you were trying to implement a shopping cart, and you add an item to a cart.0195

Well, maybe what you would do is send a GET request that provides some information.0201

Maybe you have a query string that says to add item 1001.0206

And the HTTP server is going to go ahead and process that GET request.0212

It is going to add an item to a shopping cart, and then it is going to send the response back to you that maybe shows you your shopping cart.0216

However, the next time you go to add another item to the shopping cart, how does the server know that that item 1001 is already part of your cart?0224

HTTP, in and of itself, doesn't have a mechanism for that.0234

It doesn't store this information anywhere--for example, on the server.0237

Well, cookies are a way to enable some memory--some state--to occur between different HTTP transactions.0242

For example, cookies are to provide knowledge of previous events.0253

What it does is connects one HTTP request to another.0260

And this can be used for things...for example, it can identify a particular client.0263

Maybe, when you go to a website, and you log in, the HTTP server, when it sends you back your welcome page,0267

will send you a cookie, which is a piece of information.0276

And it is going to say, "Your user ID is this."0279

Then, every time you go and visit a page on that website, you are going to send that cookie back to the server, and it is going to identify you.0282

And then, the server can say, "Hey, this is a person I have dealt with before," and maybe it can alter its page content based on that.0289

Another thing that you can do is contain information in a cookie, such as the contents of a shopping cart.0296

For example, let's say you send an HTTP request; you click on a button that says "Add Item to Shopping Cart"0303

that sends a GET request with the item ID to the server.0310

Well, the HTTP server can then create a cookie that says, "OK, maybe the cookie's name will be 1001, which is the ID of the item."0313

And maybe its value is going to set to 1, which means you added one of those items to your shopping cart.0324

Well, what the server can do is create a cookie that contains this data.0329

It can send that back in its response to the client.0333

And then, when the client goes to another page in that website (for example, clicks on the Add to Cart button0337

for another item on that website), well, because, as we had mentioned, any time you have cookies stored for a particular website,0343

when you go to a page on that website, you automatically send it; when you go to add that second item to the cart,0351

you are going to send this cookie back to the server.0357

So, now the server knows that you have already had one item in your cart.0362

And it can add this new item to the cart; it can update the cookie to reflect that.0366

But now that it knows this information about you having this item already in the cart,0371

when it sends you a page back to view your cart, it can show both of the items, because it has knowledge of that.0375

The way that setting and getting cookies works is through some headers.0383

In particular, there is an HTTP response header called Set-Cookie.0391

And what that does is: that is a way for the web server to send a cookie (which is a name/value pair) back to the client that has information.0397

An example of an HTTP response header that sends a cookie to the client is this right here.0406

We have our typical HTTP response information, and down here you have the body of the response.0413

Maybe it is the HTML to represent a shopping cart.0419

But what you can see is that it has a new header here called Set-Cookie.0424

And what you do is provide the name of the cookie, and then the value, to it.0427

The server is going to say, "OK, I am sending to this client a cookie that has the name cookie, and it is going to have the value equal to cookie value."0433

And what that is going to do is: it is going to get sent to the client.0446

When the client receives this response, it is going to store this cookie and associate it with whatever website this response came from, right here.0448

If we go and take a look at an example, I'm going to have Firebug open, and in the Firebug, we select the net tab,0459

so that we can see the HTTP header information that is going on.0469

For example, if we click on the script httpSetCookieHeader.php, this is a script that,0474

when you go to it, creates a cookie and sends it back to the client as part of the script.0481

And we are going to talk a little bit more about how to do that in a few slides.0489

But for now, that is what is going on behind the scenes.0491

It just shows a little bit of output, of what the HTTP response when you go to this page might look like.0495

It is going to show some of your typical HTTP response headers.0502

And you can see, also, that it has a Set-Cookie header, which is setting a cookie named example1Cookie, and it has the value equal to value.0504

Now, if we go down here and we look at our Firebug output, and we see the HTTP response header that we get back0516

from the server when we requested this page, we can see, in the raw header,0526

that there is this Set-Cookie header; and it has, as we expected, the name of the cookie and the value.0530

And so, that is how the server sends the cookie back to the user; it uses this Set-Cookie header.0538

Now, we have another script called cookieHeader, which shows the client side of things.0547

And what this shows is: when the client requests another page from this particular website0553

(in this case, it is a localhost website), what it is going to do is say, "Get me the page httpCookieHeader.php."0559

It is going to have the Host header, and then it is also going to have a new header that we are going to talk about, called Cookie,0571

which is the way of the client sending the cookie back to the user.0580

For example, Set-Cookie is used by the server to send a cookie to the client.0587

Well, any time a client requests a page (for example, if a client has a cookie associated with the host www.educator.com)0591

from that website (here, index.html), it is going to send any cookies it has that are associated with that site back to the server.0601

So, if a cookie had previously been set and stored from Educator.com on this client,0612

the client uses what is known as a Cookie header in its HTTP request, and what it does is provides the name of the cookie and its value.0619

If we go back and look at our script here again, we can see that this is what it looks like when we request a page after we have already received a cookie.0628

In our previous script, setCookieHeader, the HTTP server on our localhost sent us a cookie called example1cookie, and it has the value value.0638

When we go to request another page on this same website (in this case, it's called httpCookieHeader),0652

what we can see is: if we look down at the request information, if we look at the raw HTTP request, there is a Cookie header.0660

And it says example1cookie=value; so what it has done is: because we have gone to that same website,0672

before it sends this request off to the website, our web browser goes and looks to see if it has any cookies stored for localhost.0678

And then, if it does, it goes ahead and sends those cookies along.0685

Well, in this case, we have a cookie called example1cookie, and it sends the value back to the server called value.0687

And one of the things you can do in Firefox is see the different cookies that you have stored.0695

If you go to Firefox menu, and you go to Options, and then you select the Privacy tab, there is a link on the default page here.0700

You can click Remove Individual Cookies, and what this does is shows all of the cookies that you have from all the different sites.0709

So, here you can see all of the different sites that we have visited, that we have received cookies from.0715

That means that, when we have gone to these websites, we have received an HTTP response from the server that had the Set-Cookie header in it.0720

For example, if we search for our localhost, we can see that we have one cookie.0729

The name of the cookie is example1cookie; its content, or the value of the cookie, is value, which is what we had set, to which the cookie's value was set.0735

And so, this shows you information about the particular cookie.0745

How do you set a cookie? Let's say you are writing a script, and you want to send a cookie back to the server.0755

For example, you want to maybe provide a user ID; you can say userID=1001.0762

So, every time the user comes back to the site, it will automatically supply that information to the server via the Cookie header in the HTTP request.0768

Well, PHP provides a built-in function called setCookie.0778

And what that does is allows your script to send a cookie back to a client.0782

One important thing to note is that, because setCookie involves setting an HTTP header (in particular, the Set-Cookie header),0787

you have to call it before any of the script's output is generated.0795

We had seen this before in examples when we used the header method--for example, to redirect the user to another web page.0799

And when we use that before, we have to do that before we generate any output, or else we are going to get an error.0817

So, it is important that you call setCookie before you generate any output for your script.0821

The first two parameters of the setCookie method are the name of the cookie and the value that you want to assign to the cookie.0827

If we go and take a look at a script called setCookie, we can see that it is a PHP script.0834

And before any of our output is generated, we have a PHP section up here that calls the setCookie method.0840

And what it does is: it is setting a cookie called example2cookie, and we are setting the value of that cookie just equal to the string 'value.'0846

So, when the user requests this page, when PHP generates the HTTP response to send back to the client,0855

it is going to generate a Set-Cookie header that is going to contain this cookie.0864

It is going to say "example2cookie=value."0869

And then, it is going to return whatever HTML the page contains, that you are sending back to the user.0872

In this case, it is just some output that shows an example of the headers that you are receiving from the web server.0880

If we go and look at our example2, and we go to setCookie.php, we can see that this is an example of what our response header looks like.0891

So, when we go to this page, we are getting a response that has the header Set-Cookie that says example2cookie=value.0904

If we go down here in our Firebug and we look at our response, and we view the raw HTTP response header,0911

we can see there is, in fact, the Set-Cookie header that shows that a cookie name example2cookie0918

has been sent to the client, and it has the value 'value.'0927

If we go ahead and look again at our cookies for localhost, we should now be able to see that we have two cookies.0931

We have the example1cookie from our previous example and example2cookie from this example.0940

One of the features of cookies is that they have several attributes that you can set.0949

And these attributes determine whether or not a client is going0953

to send a particular cookie to a web server when it is making an HTTP request for a page.0957

We have already implicitly said that, when a client receives a cookie from a particular website, it stores that cookie.0965

And then, any time it visits a page on that website, what it does is goes ahead and sends that cookie, along with any request that it has.0975

Well, you can explicitly set that; there is a domain attribute that you can set for a cookie that explicitly specifies the domain for which a cookie applies.0985

So, in our case, for example, it has been localhost.0995

We were not explicitly providing that; and what a specification does is: when a browser receives a cookie0997

that doesn't have a domain attribute set, it uses the domain of whatever website it received it from.1003

In our case, when we looked at those cookies in our Firefox web browser's Cookies dialog box,1011

and we searched for localhost, we could see that the domain1019

associated with those cookies is localhost, because that is where they came from.1022

There is also a path attribute that you can associate with a cookie.1026

And that says, "Within a particular domain, the client is only going to send a cookie back to the browser if it requests a page within a particular path."1030

For example, if we look in a little more detail at the cookie we received on our example number 2,1042

we can see information down here that Firefox provides.1056

It the name of the cookie, example2cookie; it has its content, which is value.1059

We can see it has the host, which is the same thing as domain, and it sets localhost.1063

And we didn't explicitly set that, but that is implicitly set.1067

Additionally, if path is not explicitly set, then it the path of the cookie gets set to whatever path the script that you requested was.1070

In this particular case, the path for our script, setCookie.php, was in the example-2 directory1087

of the lecture_23 directory of the lecture_examples directory in the advanced_php directory.1098

Any time we use localhost, and we access or request a script within this example-2 directory, this example2cookie is going to get passed on.1104

For example, if we refresh this page, because we are still in this example-2 directory,1117

we are also going to have a request header now that is going to pass that cookie along.1123

Not only does the cookie get set, but also, if we look at our request header, we can see that this example2cookie has been passed along.1129

Now, that is associated with this particular path.1136

Let's say we were to go up one directory, out of the example-2 directory, and we were just to refresh the page,1139

which is just requesting the directory listing for lecture_23.1149

Well, the lecture_23 directory is not lecture_23/example-2, so our web browser should not send that example2cookie in its request for this directory listing.1153

If we go and look down at our request headers, we can see that there is no Cookie header that is sending that along.1166

The other common cookie attribute that is set is called expires.1177

And that is the date and time when a cookie is no longer valid.1181

So, in addition to when a client is requesting a web page, it checks to see if it has any cookies for that particular domain;1184

it checks the path that it is requesting the script from.1192

If a cookie in that domain matches that path, it will send the cookie.1195

And then also, it checks to see if the cookie has not expired.1199

If the cookie has not expired (meaning that the expiration date and time of the cookie has not yet occurred), then it will set the cookie.1201

If the cookie has expired, it doesn't set that.1208

These are three attributes that allow you to determine that, once the server sets a cookie on a client,1211

when and under what conditions that client will send that cookie back to the server.1222

The setCookie method can take values for all three of these attributes: domain, path, and expires.1228

One thing to note is that the expires parameter takes a UNIX timestamp.1235

However, because in the cookie specification, the expires attribute is a formatted date string1242

(for example, like Thursday, September 3rd, with a time), you specify a UNIX timestamp,1248

and PHP automatically converts it to the appropriate timestamp.1253

For example, we have another script called cookieAttributes.php.1259

We are going to create a couple of variables for our setCookie method.1267

We are going to name the cookie example3cookie; we are going to set its value equal to value.1271

We are going to set the domain that the cookie is valid for equal to localhost (even though this is done implicitly, we are just going to do it here explicitly).1276

One thing to note is that the domain always has to be preceded by a dot; that is part of the specification.1283

We are going to specify the path of the cookie; again, this is something that would be implicitly done,1288

but we are going to explicitly specify that this cookie is only valid for the example-3 directory in our lecture_23 directory.1293

We are setting the cookie's expiration equal to time=0; and what that does is: that means that the cookie expires whenever the browser shuts down.1301

That is sort of a default of the cookie specification.1315

Here, we call the setCookie method; we pass it the name and the value of the cookie.1317

We pass it when it expires, and then the path and the domain.1321

And then, this is just an output section that shows what that Set-Cookie header looks like when we receive a response from this page.1327

If we go to example-3, and we go to cookieAttributes.php, we can see here that we are receiving a response1336

that has a Set-Cookie header that has the name of the cookie;1346

it has the path the cookie is valid for; and it also has the domain that it is valid for.1350

It doesn't have an expires attribute, because it has a default expires attribute, which is whenever the session ends, which is why it was set to 0.1356

If we look down here at our raw HTTP response header, we can see the same information1366

with the path, the domain, and then the cookie name and value specified.1373

Now, one thing that you can do is: let's go ahead and try to explicitly set the time.1378

As mentioned, the setCookie method takes a UNIX timestamp, and then converts it to an appropriate date and time.1383

So, let's say we want this cookie to expire one hour from now.1389

It does things in seconds, so 60 seconds times 60 minutes will be one hour.1394

We save it; now, when we go ahead and reload this page...1400

Well, first of all, let's look at the cookie details for example3cookie.1405

We can see that it has the name example3cookie and the value 'value'; it is for the domain localhost.1417

Its path is for the example-3 directory; and expires--it says at end of session, which is when the browser closes (and that is the default).1423

Well, now we have explicitly set the expires value; so when we refresh this page, we are going to see that,1432

in our new Set-Cookie header that is generated, now there is an expires attribute1439

that has been set by the server, when it sends the cookie back to the client.1445

And what it does is: it took that UNIX timestamp that we created and went ahead and generated a date/time string.1450

This is what the format of the date/time string looks like.1456

And what it is saying is "an hour from now is when this cookie expires."1458

And if we look at the raw HTTP response header, we can see that it has this Expires header down here, the path attribute, and the domain attribute.1464

Now, when we go and look at the cookies from localhost, and we look at example3cookie,1475

now we can see that this expires attribute has been updated to a specific date and time,1485

which means that any time after 0100 p.m. on September 2nd, this cookie is no longer valid.1490

And so, the browser is not going to send it any time it requests a page on the localhost domain at the path for the example-3 directory.1496

One thing that you can do is: in order to delete a cookie (get rid of it), you simply set the expires date of the cookie to a time in the past.1506

For example, if instead of adding 60 minutes, we subtracted 60 minutes from the time,1515

that is going to set the cookie's time to a time in the past.1520

What is going to happen is: when we refresh our page, you can see that it shows an expires time that is in the past.1522

And when we look at our raw Cookie header, we can see that it sets the expires attribute to a date in the past.1533

Now, because of that, when we go and look at our cookies for localhost, the example3cookie is no longer there.1543

And that is because our browser recognized, when it received the cookie, that the cookie was expired.1553

So, what it did was deleted it.1557

So, that is one thing to note: if you already have a cookie set on your client machine for a particular domain,1561

a particular path, and with a particular name (for example, example3cookie), if you reset that cookie using the Set-Cookie header,1568

as we did here, it overwrites all of those cookie attributes.1576

So, in this case, we are overwriting the value to 'value,' which is the same as before.1580

We are overwriting the path and domain; well, actually, the path and domain will be the same.1585

But what we are doing is overwriting the expires attribute.1590

What that is going to do is change the value of that cookie on the server, and it is going to update1592

the expires attribute to be in the past, which means that the cookie is no longer going to be set.1596

Now, if we notice, when we refresh this page, even though we had previously set a cookie1603

for this particular domain and this particular path, we can see, if we look at the raw HTTP request,1609

that there is no Cookie header, because there is no cookie to pass on, because the cookie had expired.1615

We use these cookies to pass information back and forth between the client and the server.1624

And so, the question now is, "How do we access that information on a PHP script?"1629

We have a client that we have set a cookie for; the client requests a PHP page, and we want to find out some information in the cookie.1634

For example, maybe the cookie contains information a shopping cart, and we want to access that information in our script1640

to find out what items the user already has in their shopping cart.1646

The way you do that is: we are going to introduce another superglobal called _COOKIE.1653

And what that does is: on any script that is loaded, if a Cookie header has been sent by the client in the HTTP request,1658

any cookie name/value pairs that have been sent are going to be created in this _COOKIE superglobal.1669

For example, if a client were to request index.php at localhost, and it were to set the Cookie header,1676

it is going to send a cookie named testCookie, and it is going to have its value equal to cookieValue,1683

which means that this cookie was previously set for localhost for this particular client.1690

So, it has it stored, and it is sending it back to the server when it is requesting index.php.1695

Well, this index.php page can access this testCookie; it can access the value that it was set to, using the _COOKIE superglobal.1702

And the _COOKIE superglobal is an associative array that contains the names of all of the cookies that were sent to a particular script by the client.1710

In this case, we have one cookie, testCookie; and then, the value of it is the value of this cookie.1721

cookieValue here is going to be equal to the string 'cookieValue.'1727

One of the things we could have done here instead: we could have said item-1001 equals 2.1735

And we will say that that cookie represents that we have item 1001 in quantity 2 in our shopping cart.1742

Now, we could say quantity(Item) equals...and what that is going to do is look for a cookie1749

named 1001 (in this case, assuming we pass it along, it is going to say 1001).1769

And then, it is going to load that value, which is going to be equal to 2.1774

And so now, we are going to know the quantity of that item in a particular cart.1778

If we look at our file called cookieSuperglobal, here we have our same setup here at the beginning,1787

where we are setting a cookie in this particular page.1793

And then, we are outputting information about the HTTP response that is generated,1797

which outputs the Set-Cookie header, so that we can see what it looks like.1803

Then also, we have a section that is going to try and access the value of this cookie.1809

And what it is going to do is: we named our cookie, in this case, example4cookie; and then, we are going to try to output the value of it.1813

What we do is: if we go to example-4, and we load our page cookieSuperglobal.php,1821

we can see that a cookie was set with the value sampleValue; it is called example4cookie.1835

However, in our script, when we try to access example4cookie, it is nonexistent.1842

Now, the reason for that is that the _COOKIE superglobal only has access to cookies that were sent as part of a request for a particular script.1847

The first time, when we requested this particular script, cookieSuperglobal.php, we had no example for cookie.1858

It hadn't been set yet, so we had nothing to send back to the client.1866

If you look at our request and response when we requested this page, you can look at the requests,1869

and you can see that there is no cookie here, because we had not received a cookie yet.1875

However, in our response, we can see that a cookie was set, example4cookie; and it has the path and the domain for it.1879

So now that we have received this cookie, the next time that we refresh this page, we are going to send that cookie along,1887

because it is associated with that path and that domain.1893

And then, we are going to be able to access it in our script.1898

For example, if we refresh the page, now we have access to the value of that cookie.1901

The reason is that, because we had already received the cookie, when we re-requested the page, we send that cookie along.1906

And if we look at the second time we requested that page, we can see that we passed this cookie along via the Cookie header.1913

And one of the things that you can do is set multiple cookies for a particular page.1922

For example, we could set another cookie, call the cookie hello, and set its value equal to world,1927

and just have it have default values for domain, path, and expires.1937

Now, we are setting two cookies when we go to this page.1942

And then, instead of just outputting our cookie example4cookie value, let's go ahead and...1946

we'll just print out the entire _COOKIE superglobal, which will provide information about both the cookies.1957

So now, what we do is: when we go and reload this page, we can see that it has access to our example4cookie.1975

However, we can see that the cookies array only has example4cookie.1989

That is because this page, when we reloaded it for the first time, sent that cookie back to the user.1993

So, the first time we load that page, that second cookie is not available to be sent back.1999

And if we look at our HTTP header, we can see that, in our Set-Cookie header, we have two cookies that are sent:2003

example4cookie equals sampleValue, and then also our other cookie that we created, called hello=world.2017

And when we requested this page, we only had the example4cookie; that is all we sent back.2024

If we go ahead and refresh this page, and look at our HTTP request, now we can see that it sends both cookies back.2029

And one thing to note is that when a client sends a cookie via a Cookie header back to the web server by an HTTP request,2037

it only sends the name and value of the cookie; it doesn't send the expires attribute or the domain attribute or the path attribute--2047

whereas, when the cookie is set, the server does send that information.2057

The reason is that that information is used by the client to decide whether to send the cookie back; and the server does not need to know about that.2060

So, now, when we look at the output of this script, when we dump our _COOKIE superglobal, we can see that it has two cookies in it.2067

One is example4cookie with value sampleValue, and one is the hello cookie that has the value world.2076

I just want to talk, really quickly, about security implications of cookies.2086

Cookies can be essentially be used to track users, and so they have some privacy issues associated with them.2090

For example, let's say you go to a website, and your browser is allowed to accept cookies.2095

They (the website) can set a cookie that sends a unique user ID.2100

So, every time you go back to that website, your browser is going to match the domain of that website, and it is going to send that cookie.2105

So, in that way, the website can track how many times you go to the site, and so forth.2111

There are also some security issues with cookies, in that they store information.2117

So, you could have some sensitive information that gets stored on a person's computer,2121

so anybody that has access to that computer could look at that information.2125

For these reasons, you may have heard that users can disable cookies, which means that they don't accept cookies from web servers.2128

The reason I am mentioning that is that it has the implication that, if you are planning on using cookies2138

to enable some functionality of your website, you have to consider the fact that2144

some of your users may have cookies disabled, and therefore may not be able to access any cookie-dependent functionality.2148

That is just something you should consider.2155

Most people typically use cookies; most websites use them; but that is one thing to consider,2156

depending on your user base and your application, as to whether or not to use cookies--2163

because some of your users may not be able to have access to them.2167

For our homework challenge, I want you to create a script in a directory call subdir in the lecture_23 directory.2172

So, it is a subdirectory; it uses the Set-Cookie function to set a cookie named userID with the value 100.2183

And then, in the same script, I want you to use the _COOKIE superglobal to output the value of that cookie.2191

And remember that the first time you browse to that page, even though you have set the cookie, you are not going to be able to see it,2197

because when you request the page for the first time, you are receiving the cookie for the first time.2203

So, you don't have that cookie to be able to send back.2207

When you refresh the page, you will be able to see the output of that cookie.2209

One thing to note is that you make sure that you call your setCookie function before you try to output the value of the cookie,2213

because setCookie affects HTTP headers, and it has to be called first.2219

Otherwise, it will generate an error.2222

Then, in that same directory, create a second script that deletes the userID cookie.2225

And the way it does that is: you are going to set the expires attribute for that cookie in the setCookie method to a time in the past.2231

And what that is going to is delete the cookie.2238

When you run the second script, it is going to delete that cookie, and you then go ahead and reload (in step 4) that first script again.2241

You should, again, see that the value of the cookie is not available for output.2248

The reason is that the second script deleted that cookie, so when you go back to that first script, you have no cookie to send to the browser.2252

If you go ahead and refresh that page again, however, because that first script sets the cookie,2258

the second time you load it, the value of the cookie is going to be able to be output.2264

Then, going up one directory in lecture_23, I want you to create a script that tries to output the value of the userID cookie, using our _COOKIE superglobal.2269

And when you try to load a script, you should notice that, again, the cookie's value is not output.2281

In this case, it is not because the cookie doesn't exist.2287

It is because, as we mentioned implicitly, when you create a cookie, if you don't explicitly set a path or domain,2290

the cookie's path and domain is the path and domain of whatever script set that particular cookie.2296

So, in this case, because the cookie we generated before was associated with the path lecture_23/subdir,2304

when we are just in the lecture_23 directory, this cookie that we had set doesn't apply, because the path doesn't match.2314

So, it is not going to send that cookie; because it doesn't send that cookie, you are not going to be able2323

to access it via the _COOKIE superglobal, and you are not going to be able to output its value.2326

And so, that shows you a little bit about how the path attribute works for cookies.2332

One thing to note is: practice using the Firebug add-on, when you are running these scripts,2338

to take a look at the raw HTTP request and response headers.2344

That will allow you to look at the Set-Cookie and Cookie headers to see what is going on behind the scenes,2347

so you can understand how those headers work, and how the different cookie attributes (such as expires, domain, and path) are set.2353

It also allows you to see when a cookie is sent from the client to the server, and when the cookie is set in an HTTP response from the server to the client.2361

And that will give you more practice in understanding how cookies work, and when and why2372

they are sent back and forth between a server and a client.2378

That ends today's lesson; thank you for watching Educator.com--I look forward to seeing you next time.2383