0

I was following this SO Question and this SO Question for setting up Remember Me. However when I pull up Cookies in Google I get PHP and Javascript ways to do it. Which way is better, or do I need to use both? I have a code base in PHP and Javascript and I need a starting point. I see the multitude of SO articles on javascript vs. php for cookies but that is not what I'm asking..I know the difference between server side and client side programming and what a cookie is...but could not see an explicit answer on how to set / retrieve a cookie. My assumptions would be:

For setting a cookie:

Use PHP when the user logs in and sets "Remember Me". Although the client has control at this point, the credentials must pass back to PHP for validation. Once validation is complete set a cookie and store the Token.

For checking a cookie:

Use PHP, because PHP is called first when a user requests a page from you web app the first time, so check for the cookie there and determine what data to send to the user.

So my guess is PHP both ways.

If I am correct ...if so what are javascript cookies used for?

Related

W3 Schools - PHP Cookies

PHP.net

Community
  • 1
  • 1

2 Answers2

2

The Javascript way won't work if javascript is not available, whereas setting the cookie server-side is guaranteed to work unless the user has explicitly blocked cookies. Manipulating cookies in javascript (via document.cookie) is not a fun experience, whereas PHP provides $_COOKIE (and $_SESSION which is indirectly dependant on cookies in its most common usage patterns) which are far simpler to deal with. A cookie set in PHP can be accessed in Javascript unless specified otherwise (which I'll get to) and I don't know what dealing with secure cookies (sent via https) would be like in javascript, but I don't imagine it would be pleasant.

Cookies can be set HTTP only if you use a server side technology to set them. When set, browsers that are HTTP-only cookie aware will deny access to the cookie for javascript. This is important because javascript can be used to snoop on cookies and steal their content, sending them to an eavesdropper. HTTP only cookies prevent this kind of abuse.

So in short, I'd go with PHP for setting your cookie.

GordonM
  • 29,211
  • 15
  • 77
  • 126
2

Javascript cookies are generally used for setting position/color of elements on a page, per the users preferences. For example, a site with several different themes (e.g. "dark", "light") and buttons to change the current theme on the side of the page might store the theme the user selected using a cookie, so that the next time the user visits the site the page theme will be the same. This information could also be stored server-side, but for privacy reasons it may be preferable to store client side, especially if the user doesn't have an account on the site.

The bottom line is that you should use php for any cookies that are essential to the function of your website, and use javascript cookies for superficial aspects of your site such as the theme.

pycoder112358
  • 865
  • 5
  • 10