1.2.1113. Should Use SetCookie()¶
Use setcookie() or setrawcookie(). Avoid using header() to do so, as the PHP native functions are more convenient and easier to spot during a refactoring.
setcookie() applies some encoding internally, for the value of the cookie and the date of expiration. Rarely, this encoding has to be skipped : then, use setrawencoding().
Both functions help by giving a checklist of important attributes to be used with the cookie.
<?php
// same as below
setcookie("myCookie", 'chocolate', time()+3600, "/", "", true, true);
// same as above. Slots for path and domain are omitted, but should be used whenever possible
header('Set-Cookie: myCookie=chocolate; Expires='.date('r', (time()+3600)).'; Secure; HttpOnly');
?>
See also Set-Cookie and setcookie.
1.2.1113.1. Suggestions¶
Use setcookie() function, instead of header()
1.2.1113.2. Specs¶
Short name |
Php/UseSetCookie |
Rulesets |
|
Exakat since |
0.10.6 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Instant (5 mins) |
Precision |
Very high |
Features |
cookie, http-header |
Available in |