PHP setrawcookie Function
last modified April 4, 2025
The PHP setrawcookie function sends a raw cookie without URL encoding.
It's useful when you need precise control over cookie values.
Basic Definition
setrawcookie defines a cookie to be sent along with HTTP headers.
Unlike setcookie, it doesn't URL encode the cookie value.
Syntax: setrawcookie(string $name, string $value = "", array $options = []): bool.
Must be called before any output is sent to the browser.
Basic Raw Cookie Example
This example demonstrates setting a simple raw cookie with a name and value.
<?php
declare(strict_types=1);
setrawcookie("user_token", "abc123XYZ!@#");
echo "Raw cookie set successfully";
The cookie value remains exactly as provided, with no URL encoding applied. Special characters like !@# are preserved in their original form.
Cookie with Expiration Time
This shows how to set a raw cookie with a specific expiration time.
<?php
declare(strict_types=1);
$expire = time() + 3600; // 1 hour from now
setrawcookie("session_id", "raw_value_!@#", [
'expires' => $expire
]);
echo "Cookie will expire in 1 hour";
The expiration is set using the 'expires' option in the options array. The cookie will automatically expire after the specified timestamp.
Secure and HttpOnly Cookie
This example creates a secure, HttpOnly raw cookie for enhanced security.
<?php
declare(strict_types=1);
setrawcookie("auth_token", "secure!raw#value", [
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]);
echo "Secure HttpOnly cookie set";
The 'secure' flag ensures the cookie is only sent over HTTPS. HttpOnly prevents JavaScript access, and SameSite restricts cross-site usage.
Domain and Path Restricted Cookie
This demonstrates setting a raw cookie restricted to specific domain and path.
<?php
declare(strict_types=1);
setrawcookie("preferences", "dark_theme=true", [
'domain' => '.example.com',
'path' => '/settings',
'expires' => time() + 86400
]);
echo "Domain and path restricted cookie set";
The cookie will only be sent to example.com and its subdomains. It's further restricted to URLs under the /settings path.
Cookie with Special Characters
This example shows how setrawcookie preserves special characters in values.
<?php
declare(strict_types=1);
$rawValue = "user@domain.com|token=ABC123!*()";
setrawcookie("user_data", $rawValue);
echo "Cookie with special characters set without encoding";
The raw value containing @, |, =, and !*() is preserved exactly. With setcookie, these would be URL encoded, changing the value.
Best Practices
- Security: Always use secure and HttpOnly flags for sensitive cookies
- Timing: Call before any output to avoid headers already sent errors
- Validation: Sanitize values since they aren't URL encoded
- Size Limit: Keep under 4KB browser limit for cookie size
Source
PHP setrawcookie Documentation
This tutorial covered the PHP setrawcookie function with practical
examples for setting raw cookies in various scenarios.