1.2.1116. Should Use SetCookie()

Use setcookie() or setrawcookie(). Avoid using header() to do so, as the PHP native functions are more convenient and easier to spot during a refactoring.

setcookie() applies some encoding internally, for the value of the cookie and the date of expiration. Rarely, this encoding has to be skipped : then, use setrawencoding().

Both functions help by giving a checklist of important attributes to be used with the cookie.

<?php

// same as below
setcookie("myCookie", 'chocolate', time()+3600, "/", "", true, true);

// same as above. Slots for path and domain are omitted, but should be used whenever possible
header('Set-Cookie: myCookie=chocolate; Expires='.date('r', (time()+3600)).'; Secure; HttpOnly');

?>

See also Set-Cookie and setcookie.

1.2.1116.1. Suggestions

  • Use setcookie() function, instead of header()

1.2.1116.2. Specs

Short name

Php/UseSetCookie

Rulesets

All, Analyze, Changed Behavior

Exakat since

0.10.6

PHP Version

All

Severity

Major

Time To Fix

Instant (5 mins)

Precision

Very high

Features

cookie, http-header

Available in

Entreprise Edition, Exakat Cloud