Do Not Use Cookies as The Way We Use Variables

Considering the code as follows:

<?php
  setcookie("test", "1", time() + 3600);  // set cookie
  echo $_COOKIE["test"];
?>

The result shows ‘undefined index’ after execution:

Notice: Undefined index: test in /xxx/index.php on line 2

Why is this happened? Has cookie not been set?
No, it is because the browser hasn’t sent a HTTP request to the server, so the browser hasn’t got the request cookie yet.

According to the document rfc6252 from Internet Engineering Task Force (IETF), it explains how cookies work at the introduction:

Using the Set-Cookie header field, an HTTP server can pass name/value pairs and associated metadata (called cookies) to a user agent. When the user agent makes subsequent requests to the server, the user agent uses the metadata and other information to determine whether to return the name/value pairs in the Cookie header.

Hmm~~, what does that mean exactly?

Let’s open the Chrome Developer Tools and show you how cookies works.

I wrote three php programs as follows:

1. set_cookie.php: to set cookie ‘test’ and value as 1.

<?php
  setcookie("test", "1", time() + 3600);
  echo $_COOKIE["test"];
?>

2. show_cookie.php: show the value of cookie ‘test’.

<?php
  echo $_COOKIE["test"];
?>

3. delete_cookie.php: delete the cookie 'test.

<?php
  setcookie("test", "", time() - 3600);
?>

Check the cookies in Chrome Devtools

1. Now, let’s start to run set_cookie.php and see what will happen through Chrome devtools. In Chrome devtools windows, there is a Response Cookie ‘test’ as 1 shown in the ‘Cookies windows’. The cookie ‘test’ is not shown at the side of ‘Request Cookies’ meaning that the browser hasn’t received cookie data from server yet. So, it shows ‘undefined index’ message in the browser as expected.

run set_cookie.php

2. Next, let’s run show_cookie.php to send a HTTP request to the server and show the cookie ‘test’. It shows cookie ‘test’ and value as 1 at the side of ‘Request Cookies’. As expected, the browser shows ‘1’, the value of cookie ‘test’.

run show_cookie.php

3. let’s run delete_cookie.php to delete the cookie ‘test’. It shows a ‘delete’ value at the side of ‘Response Cookies’. The cookie ‘test’ and value 1 is still at the side of ‘Request Cookies’.

delete_cookie.php

4. Let’s run show_message.php again to send a HTTP request to the server. It also send the response cookies to the server and delete the cookie ‘test’. The cookie ‘test’ has disappeared at both sides of the ‘Cookies windows’. Therefore, it shows ‘undefined index’ in the browser again.

show_cookie again

Use cookies for storing data while variables for calculation.

As shown above, the behavior of cookies are different from variables. We can not use cookies just as the way we use variables.

Do not make the calculation according to cookies values if a HTTP request hasn’t been sent to the server. Using variables to do so to make sure the correct calculation.