Skip to content
Modern cookie management for PHP
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Use same-site restriction from input instead of blindly choosing 'Lax' Oct 11, 2018
tests Add additional tests for parsing of cookies Oct 11, 2018
.editorconfig Update '.editorconfig' Dec 12, 2016
.gitignore Initial commit Jun 8, 2016
.travis-ci-apache Add Travis CI configuration for running the tests Dec 12, 2016
.travis.yml Add PHP 5.4 and 5.5 as targets for Travis CI again Jun 11, 2017
LICENSE Change the license from 'Apache License 2.0' to 'MIT License' Jul 21, 2016 Fix typo Mar 9, 2018 Update URL of latest specification for same-site cookies Apr 6, 2018
composer.json Support PHP 5.4 and 5.5 again Jun 11, 2017


Modern cookie management for PHP


  • PHP 5.4.0+


  1. Include the library via Composer [?]:

    $ composer require delight-im/cookie
  2. Include the Composer autoloader:

    require __DIR__ . '/vendor/autoload.php';


Migrating from an earlier version of this project? See our upgrade guide for help.


Static method

This library provides a static method that is compatible to PHP’s built-in setcookie(...) function but includes support for more recent features such as the SameSite attribute:

\Delight\Cookie\Cookie::setcookie('SID', '31d4d96e407aad42');
// or
\Delight\Cookie\Cookie::setcookie('SID', '31d4d96e407aad42', time() + 3600, '/~rasmus/', '', true, true, 'Lax');

Builder pattern

Instances of the Cookie class let you build a cookie conveniently by setting individual properties. This class uses reasonable defaults that may differ from defaults of the setcookie function.

$cookie = new \Delight\Cookie\Cookie('SID');
$cookie->setMaxAge(60 * 60 * 24);
// $cookie->setExpiryTime(time() + 60 * 60 * 24);
// echo $cookie;

The method calls can also be chained:

(new \Delight\Cookie\Cookie('SID'))->setValue('31d4d96e407aad42')->setMaxAge(60 * 60 * 24)->setSameSiteRestriction('Strict')->save();

A cookie can later be deleted simply like this:


Note: For the deletion to work, the cookie must have the same settings as the cookie that was originally saved. So you should remember to pass appropriate values to setPath(...), setDomain(...), setHttpOnly(...) and setSecureOnly(...) again.

Reading cookies

  • Checking whether a cookie exists:

  • Reading a cookie’s value (with optional default value):

    // or
    \Delight\Cookie\Cookie::get('first_visit', \time());

Managing sessions

Using the Session class, you can start and resume sessions in a way that is compatible to PHP’s built-in session_start() function, while having access to the improved cookie handling from this library as well:

// start session and have session cookie with 'lax' same-site restriction
// or

// start session and have session cookie with 'strict' same-site restriction

// start session and have session cookie without any same-site restriction

All three calls respect the settings from PHP’s session_set_cookie_params(...) function and the configuration options, session.cookie_lifetime, session.cookie_path, session.cookie_domain, session.cookie_secure, session.cookie_httponly and session.use_cookies.

Likewise, replacements for

// and

are available via

// and

if you want protection against session fixation attacks that comes with improved cookie handling.

Additionally, access to the current internal session ID is provided via


as a replacement for


Reading and writing session data

  • Read a value from the session (with optional default value):

    $value = \Delight\Cookie\Session::get($key);
    // or
    $value = \Delight\Cookie\Session::get($key, $defaultValue);
  • Write a value to the session:

    \Delight\Cookie\Session::set($key, $value);
  • Check whether a value exists in the session:

    if (\Delight\Cookie\Session::has($key)) {
        // ...
  • Remove a value from the session:

  • Read and then immediately remove a value from the session:

    $value = \Delight\Cookie\Session::take($key);
    $value = \Delight\Cookie\Session::take($key, $defaultValue);

    This is often useful for flash messages, e.g. in combination with the has(...) method.

Parsing cookies

$cookieHeader = 'Set-Cookie:; expires=Thu, 09-Jun-2016 16:30:32 GMT; Max-Age=3600; path=/~rasmus/; secure';
$cookieInstance = \Delight\Cookie\Cookie::parse($cookieHeader);



All contributions are welcome! If you wish to contribute, please create an issue first so that your feature, problem or question can be discussed.


This project is licensed under the terms of the MIT License.

You can’t perform that action at this time.