Cookies

Cookies are managed in a cookie jar that uses a prefixed format to isolate cookies by context while allowing them to share common attributes. Alongside the usual parameters, the Partitioned attribute is supported.

Create a cookie jar

A basic example that defines 3 cookies:

use Inphinit\Experimental\Http\CookieJar; $jar = new CookieJar('sample'); $jar->foo = 1; $jar->bar = 2.5; $jar->baz = 'text'; $jar->setExpires('+1 week'); $jar->setHttpOnly(true); $jar->setPartitioned(true); $jar->send();

When using the send method, headers like this will be sent in the response:

Set-Cookie: sample:foo=1; Path=/; HttpOnly; Partitioned; Secure; Expires=Sun, 04 Jan 2026 19:42:30 GMT Set-Cookie: sample:bar=2; Path=/; HttpOnly; Partitioned; Secure; Expires=Sun, 04 Jan 2026 19:42:30 GMT Set-Cookie: sample:baz=3; Path=/; HttpOnly; Partitioned; Secure; Expires=Sun, 04 Jan 2026 19:42:30 GMT

Deleting cookies:

Deleting a cookie:

use Inphinit\Experimental\Http\CookieJar; $jar = new CookieJar('sample'); $jar->foo = null; $jar->bar = null; $jar->baz = '3'; $jar->send();

When using the send method, headers like this will be sent in the response:

Set-Cookie: sample:foo=_; Path=/; HttpOnly; Partitioned; Secure; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0 Set-Cookie: sample:bar=_; Path=/; HttpOnly; Partitioned; Secure; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0 Set-Cookie: sample:baz=3; Path=/; HttpOnly; Partitioned; Secure; Expires=Sun, 04 Jan 2026 19:45:48 GMT

API

Usage Description
setDomain($domain) Defines the host to which the cookie will be sent. Note: Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.
setExpires(string $datetime) Indicates the maximum lifetime of the cookies. Note: Accept English textual datetime descriptions (e.g., '+1 day', 'last Monday').
setHttpOnly(bool $enable) Forbids JavaScript from accessing the cookie, for example, through the document.cookie property.
setPartitioned(bool $enable) Indicates that the cookie should be stored using partitioned storage. Note that if this is set, the Secure directive must also be set.
setPath(string $path) Indicates the path that must exist in the requested URL for the browser to send the Cookie header.
setSameSite(int $mode) Controls whether or not a cookie is sent with cross-site requests.
setSecure(bool $enable) Indicates that the cookie is sent to the server only when a request is made with the https scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.

Constants

The following constants should be used with the setSameSite() method:

Usage Description
SAME_LAX Send the cookies only for requests originating from the same site that set the cookie, and for cross-site requests that meet both of the following criteria.
  • This would exclude, for example, requests made using the fetch API, or requests for subresources from <img> or <script> elements, or navigations inside <iframe> elements.
  • It would include requests made when the user clicks a link in the top-level browsing context from one site to another, or an assignment to document.location, or a <form> submission.
SAME_NONE Send the cookie with both cross-site and same-site requests.
SAME_STRICT Send the cookies only for requests originating from the same site that set the cookie.

Example:

use Inphinit\Experimental\Http\CookieJar; $jar = new CookieJar('sample'); ... $jar->setSameSite(CookieJar::SAME_STRICT); $jar->send();
Go to homepage
Star us on Github