anthonygiuliano anthonygiuliano - 1 year ago 51
PHP Question

php setcookie behavior with cookies disabled

can anyone confirm the behavior of PHP's setcookie() function when the client has cookies disabled? According to the documentation:

"If output exists prior to calling this function, setcookie() will fail and return FALSE. If setcookie() successfully runs, it will return TRUE. This does not indicate whether the user accepted the cookie."

I'm not sure what 'successfully runs' means exactly, but this leads me to believe that the implementation doesn't care about whether the client accepts the cookie, and that we shouldn't have to worry about PHP errors / warnings related to the cookie actually being set or not. Is that right?

Thanks in advance

Answer Source

Cookies are sent via http header. Headers can ALWAYS be sent. Whether they're accepted/ignored is irrelevant - you can send ANY header you want.

The only way to tell if a client has accepted a cookie is if the cookie gets sent BACK to the server by the client on its NEXT request.

The only way setcookie() fails is if output has already started. That causes the PHP "headers already sent" warning.

e.g. A normal HTTP server->client response looks like this:

HTTP/1.1 200 OK
Content-type: text/html
Cookie: ...cookie data here ...

<html><body>Hi mom!</body></html>

But if you do output first, BEFORE calling setcookie, you'd end up with something like this:

HTTP/1.1 200 OK
Content-type: text/html

<html><body>Hi mom!</body></html>
Cookie: ... cookie data here ...

which doesn't work. Headers are only headers when they're in the header block of the response. If they show up in the body, they're not a header - they're part of the content. That's why PHP issues the "headers already sent", and doesn't send the cookie. It can't - the train has already left the station.