Skip to content


Improving security for cookies

Author: Simon Jackson

We have recently updated our security and user log in code which meant updating a few pieces of cookie related PHP. In doing so, we came across a couple of minor anamolies that would have saved us a lot of time and frustration if we had been aware of them.

#1 - setcookie vs session_set_cookie_params parameter differences

The two function calls defined below on first glance appear very similar indeed. In fact if you ignore the first two parameters of the setcookie function they seem to all intents and purposes to be pretty much identical.

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )

bool setcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]]]] )

However, the difference between the expire (setcookie) and lifetime (session_set_cookie_params) arguments is crucial and easy to overlook. The lifetime parameter is the amount of time in seconds from now that the cookie is to live, whereas the expire parameter is the timestamp at which the cookie is to expire. Quite why the two functions differ in such a seemingly inconsistent and confusing way is beyond us!

#2 Cross browser cookie domain differences

After a lot of debugging we also spotted that Internet Explorer (surprise, surprise) handles relative cookie domain paths particularly badly. Instead of handling them in an intelligent way i.e. by adding the relative path onto the end of the current domain, it decides to simply discard them! Almost every other browser seems capable of handling such an innocuous situation and when you develop in Firefox or Chrome and then do final testing in IE this is a particularly frustrating bug to discover.

Hopefully, this mini-blog will help at least one person overcome these same issues with less wasted time and vented frustration.