Table Of Contents

Previous topic

< Returning Responses

Next topic

Generating URLs and Paths >

Cookies Management

Cookies are very useful way to store small pieces of data in the client that can be retrieved even if the user closes his/her browser. Phalcon\Http\Response\Cookies acts as a global bag for cookies. Cookies are stored in this bag during the request execution and are sent automatically at the end of the request.

Basic Usage

You can set/get cookies by just accessing the ‘cookies’ service in any part of the application where services can be accessed:

<?php

class SessionController extends Phalcon\Mvc\Controller
{
    public function loginAction()
    {
        //Check if the cookie has previously set
        if ($this->cookies->has('remember-me')) {

            //Get the cookie
            $rememberMe = $this->cookies->get('remember-me');

            //Get the cookie's value
            $value = $rememberMe->getValue();

        }
    }

    public function startAction()
    {
        $this->cookies->set('remember-me', 'some value', time() + 15 * 86400);
    }
}

Encryption/Decryption of Cookies

By default, cookies are automatically encrypted before be sent to the client and decrypted when retrieved. This protection allow unauthorized users to see the cookies’ contents in the client (browser). Although this protection, sensitive data should not be stored on cookies.

You can disable encryption in the following way:

<?php

$di->set('cookies', function() {
    $cookies = new Phalcon\Http\Response\Cookies();
    $cookies->useEncryption(false);
    return $cookies;
});

In case of using encryption a global key must be set in the ‘crypt’ service:

<?php

$di->set('crypt', function() {
    $crypt = new Phalcon\Crypt();
    $crypt->setKey('#1dj8$=dp?.ak//j1V$'); //Use your own key!
    return $crypt;
});
Send cookies data without encryption to clients including complex objects structures, resultsets, service information, etc. could expose internal application details that could be used by an attacker to attack the application. If you do not want to use encryption, we highly recommend you only send very basic cookie data like numbers or small string literals.