Difficulty: Easy
Correct Answer: By calling the setcookie() function with at least a name and value (and optional parameters such as expiry time, path, domain, secure, and httponly) before any output is sent to the browser
Explanation:
Introduction / Context:
Cookies are small pieces of data stored on the client browser and sent with each request to the server for a given domain. PHP makes it easy to set and read cookies, which are commonly used for remembering user preferences, session identifiers, or tracking data. Interview questions about cookies usually focus on the setcookie() function and the requirement that HTTP headers must be sent before any body output.
Given Data / Assumptions:
Concept / Approach:
setcookie() is the primary PHP function used to instruct the server to send a Set-Cookie header. It takes parameters including the cookie name, value, expiry time as a Unix timestamp, path, domain, and security flags. When setcookie() is called, PHP adds the appropriate header to the response. The browser receives this header, stores the cookie, and then sends it back on subsequent requests to the same domain and path. Directly modifying $_COOKIE does not send headers; it only changes the local representation for the current request.
Step-by-Step Solution:
Step 1: At the top of your PHP script, before echoing any HTML or whitespace, call setcookie("username", "Alice", time() + 3600, "/"). This creates a cookie named username with value Alice that expires in one hour, valid for the entire site.
Step 2: PHP attaches a Set-Cookie header to the HTTP response, which might look like Set-Cookie: username=Alice; expires=...; path=/.
Step 3: The browser receives the response, stores the cookie locally, and on the next request to the same domain and path sends Cookie: username=Alice in the request headers.
Step 4: PHP reads these headers and populates $_COOKIE["username"] for the next request, allowing the application to access the stored value.
Step 5: If you need security features, you can set the secure flag to restrict the cookie to HTTPS and httponly to prevent JavaScript from accessing the cookie.
Step 6: This sequence demonstrates that setcookie() is the correct and standard way to set cookies in PHP.
Verification / Alternative check:
You can verify cookie behaviour by writing a script that calls setcookie() and then redirects or prints a message. Using browser developer tools, inspect the response headers to see the Set-Cookie line and inspect subsequent requests to see the Cookie header sent back to the server. You will also see the cookie listed in the browser cookie storage for the domain. Trying to set a cookie after output has been sent will produce a warning about headers already being sent, confirming that setcookie() must be called before output.
Why Other Options Are Wrong:
Option b is wrong because assigning values to $_COOKIE only changes the server side array for the current request; it does not create or update browser cookies. Option c is incorrect because browsers do not read arbitrary text files from the server to obtain cookie data; cookies are controlled strictly through HTTP headers. Option d is wrong because there is no HTML tag called cookie; cookies are not defined in markup but in headers.
Common Pitfalls:
Common pitfalls include calling setcookie() after echoing content, which causes headers already sent errors, and forgetting to set appropriate flags such as secure and httponly for sensitive cookies. Another issue is neglecting to specify an expiry time, which creates a session cookie that disappears when the browser is closed, which may or may not be desired. Developers should carefully design cookie lifetimes and scopes and always use HTTPS for cookies that carry sensitive information.
Final Answer:
You set a cookie in PHP by calling setcookie() with at least a name and value, and optionally expiry and other parameters, before any output is sent so that PHP can send the appropriate Set-Cookie header to the browser.
Discussion & Comments