http_cookie_set and http_cookie_remove #2643

blar · 2017-07-22T17:16:12Z

bool http_cookie_set(string $name, string $value [, array $options])

expires: int, default: 0
path: string, default: ""
domain: string, default: ""
secure: bool, default: false
httponly: bool, default: false
encode: int, default: HTTP_COOKIE_ENCODE_RFC1738

Contants for encode option:
HTTP_COOKIE_ENCODE_NONE (same as setrawcookie)
HTTP_COOKIE_ENCODE_RFC1738 (same encoding as setcookie)
HTTP_COOKIE_ENCODE_RFC3986

If encoding is HTTP_COOKIE_ENCODE_NONE, then no encoding is performed. The caller is responsible for a correct encoding.

If encoding is HTTP_COOKIE_ENCODE_RFC1738, then encoding is performed per RFC 1738 and the application/x-www-form-urlencoded media type, which implies that spaces are encoded as plus (+) signs.

If encoding is HTTP_COOKIE_ENCODE_RFC3986, then encoding is performed according to RFC 3986, and spaces will be percent encoded (%20).

Set cookie with httponly without unnecessary pass the default values for $path, $domain or $secure like setcoookie() or setrawcookie()

http_cookie_set('foo', 'bar', [
    'httponly' => true
]);

Disable encoding and encode the value with another function:

http_cookie_set('foo', base64_encode($value), [
    'httponly' => true,
    'encoding' => HTTP_COOKIE_ENCODE_NONE
]);

bool http_cookie_remove(string $name);
Remove a cookie. No more need to look into the manual if the correct value is "", NULL or 0 to remove cookies.

KalleZ · 2017-08-23T20:31:21Z

I personally would prefer if the naming convention was the same as the already existing one to ensure we don't conflict with pecl/http, e.g.: removecookie() then alter setcookie() to check if the 3rd parameter is an array and handle from there, tho I do agree that removecookie() is a bad name.

Lets see what the other core devs have of thoughts on this

Girgias · 2019-02-23T18:47:31Z

I know this PR is a tad old but couldn't the encoding be specified as a new key in the $options parameter (as of PHP 7.3) for the setcookie (and other related function such as session_set_cookie_params)?
Not sure however if this option would make any sense with setrawcookie but I supposed it should be included with it for consistency (or another option is that setrawcookie is obsolete if you can specify that no encoding should be done on it. But I feel this is a whole other topic subject to bunch of controversies).

cmb69 · 2019-04-26T15:37:50Z

@Girgias already mentioned that we could add an encode parameter to the options array of setcookie(). Not sure if that would require an RFC, but at least some discussion on the internals@ mailing list appears to be in order. Care to proceed with this @blar?

PS: ah, overlooked http_cookie_remove() which IMHO could be done easily in userland, though.

krakjoe · 2021-05-10T10:59:09Z

I'm going to draw a line under this, there didn't seem to be the interest from the OP to keep going.

blar added 3 commits July 22, 2017 19:02

http_cookie_set and http_cookie_remove

b0f2699

encode must be an int

a8638dc

Add a warning for unsupported options

c6758c9

blar mentioned this pull request Jul 23, 2017

implement same site cookie #2613

Closed

krakjoe added the RFC label Jul 24, 2017

cmb69 added the Waiting on Author label Apr 26, 2019

krakjoe closed this May 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

http_cookie_set and http_cookie_remove #2643

http_cookie_set and http_cookie_remove #2643

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

http_cookie_set and http_cookie_remove #2643

http_cookie_set and http_cookie_remove #2643

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!