略微加速

PHP官方手册 - 互联网笔记

PHP - Manual: setrawcookie

2024-12-20

setrawcookie

(PHP 5, PHP 7, PHP 8)

setrawcookie发送未经 URL 编码的 cookie

说明

setrawcookie(
    string $name,
    string $value = ?,
    int $expire = 0,
    string $path = ?,
    string $domain = ?,
    bool $secure = false,
    bool $httponly = false
): bool

setrawcookie()setcookie() 非常相似,唯一不同之处是发送到浏览器的 cookie 值没有自动经过 URL 编码(urlencode)。

参数

相关参数的信息参见 setcookie() 的文档。

返回值

成功时返回 true, 或者在失败时返回 false

更新日志

版本 说明
5.5.0 发送给客户端的 Set-Cookie 头现在会加上 Max-Age 属性。
5.2.0 增加了 httponly 参数。

参见

add a noteadd a note

User Contributed Notes 6 notes

up
29
Brian
16 years ago
Firefox is following the real spec and does not decode '+' to space...in fact it further encodes them to '%2B' to store the cookie.  If you read a cookie using javascript and unescape it, all your spaces will be turned to '+'.
To fix this problem, use setrawcookie and rawurlencode:

<?php
setrawcookie
('cookie_name', rawurlencode($value), time()+60*60*24*365);
?>

The only change is that spaces will be encoded to '%20' instead of '+' and will now decode properly.
up
13
subs at voracity dot org
15 years ago
setrawcookie() isn't entirely 'raw'. It will check the value for invalid characters, and then disallow the cookie if there are any. These are the invalid characters to keep in mind: ',;<space>\t\r\n\013\014'.

Note that comma, space and tab are three of the invalid characters. IE, Firefox and Opera work fine with these characters, and PHP reads cookies containing them fine as well. However, if you want to use these characters in cookies that you set from php, you need to use header().
up
4
Sebastian
10 years ago
You really shouldn't use (un)serialize with cookies. An evil user could inject ANY code in your script.
up
2
sageptr at gmail dot com
9 years ago
If you want to pass something and unserialize later, you should somehow sign value to ensure evil user don't modify it.
For example, calculate hash sha1($value.$securekey) and place it to different cookie. If cookie value mismatch hash - simple discard both.
This technique you can use in any case if you want to protect cookie from modification, but it can't protect from deletion or from setting to other valid cookie (old or stolen from other user).
up
-6
lgb
12 years ago
After having several problems with this cookie thing, I'm using base64_encode on the data I put into a cookie, so I can avoid problems, I had before. I tried to set up cookie with data created by serialize() from a PHP array, but it did not work to be able to get it back, after I modified it to use value of base64_encode(serialize(...)) to set up the cookie, and unserialize(base64_decode(..)) to get back the value, everything started to work.
up
-39
kexianbin at diyism dot com
10 years ago
my php cookie value encode function:

<?php
function encode_cookie_value($value)
         {return
strtr($value,
                      
array_combine(str_split($tmp=",; \t\r\n\013\014"),
                                    
array_map('rawurlencode', str_split($tmp))
                                    )
                      );
         }
setrawcookie('kk', encode_cookie_value('jk=jk?jk-/":jk;jk jk,jk'));
?>

官方地址:https://www.php.net/manual/en/function.setrawcookie.php

北京半月雨文化科技有限公司.版权所有 京ICP备12026184号-3