Ora

How to Handle Cookies in Laravel

Published in Laravel Cookie Management 5 mins read

Handling cookies in Laravel is a straightforward process, primarily involving attaching them to outgoing responses and retrieving them from incoming requests. Laravel provides convenient methods to manage cookies, simplifying tasks like storing user preferences, session data, or other client-side information.

Understanding Cookies in Laravel

Cookies are small pieces of data stored on the user's browser by the web server. Laravel encrypts all cookies by default, making them secure from client-side tampering and ensuring that their values are only readable by your application. This default encryption protects sensitive data you might store in cookies.

Setting Cookies in Laravel

To set a cookie, you define its name and value, optionally set an expiration time, and then attach it to the HTTP response your application sends back to the user's browser.

1. Defining Name, Value, and Expiration

Every cookie needs a descriptive name and an associated value. You can also specify an expiration time, which determines how long the cookie will persist on the user's browser.

2. Attaching Cookies to a Response

Laravel offers several convenient ways to attach a cookie to an outgoing HTTP response:

  • Using the cookie() method on a Response instance: This is the most common and direct way.

    use Illuminate\Http\Response;

Route::get('/set-cookie', function () {
    $response = new Response('Hello World');
    $response->cookie(
        'my_preference', // Name
        'dark_mode',     // Value
        60               // Minutes until expiration (60 minutes)
    );
    return $response;
});

  • Using the response() helper: A more concise approach.

    Route::get('/set-cookie-helper', function () {
    return response('Hello World')->cookie(
        'user_token', // Name
        'some_secret_token', // Value
        120,          // Minutes until expiration (2 hours)
        '/',          // Path (available application-wide)
        null,         // Domain (null for current domain)
        true,         // Secure (only sent over HTTPS)
        true          // HttpOnly (not accessible via JavaScript)
    );
});

    Here's a breakdown of the cookie() method parameters:

    Parameter Type Description
    name string The descriptive name of your cookie.
    value string The value to be stored in the cookie.
    minutes int The number of minutes until the cookie expires. Use a negative value to expire immediately, or 0 for a "session cookie" that expires when the browser closes.
    path string The path on the server for which the cookie will be available. Default is / (application-wide).
    domain string The domain for which the cookie is available. Default is null (current domain). Can be used for subdomains.
    secure bool If true, the cookie will only be sent over HTTPS connections. Highly recommended for sensitive data.
    httpOnly bool If true, the cookie will not be accessible via client-side JavaScript. This helps mitigate XSS attacks. Highly recommended.
    sameSite string Controls when the cookie is sent with cross-site requests. Options: Lax, Strict, None. Learn more about SameSite cookies.
    raw (Laravel 9+) bool If true, the cookie value will not be encrypted. Use with caution.

  • Using the Cookie Facade (Queueing Cookies): For cases where you need to set a cookie before a response is ready, you can "queue" it. Laravel will attach all queued cookies to the final HTTP response automatically.

    use Illuminate\Support\Facades\Cookie;

Route::get('/queue-cookie', function () {
    Cookie::queue('session_id', 'user_session_abc', 30); // 30 minutes
    return 'Cookie "session_id" queued!';
});

    This is particularly useful when you're redirecting or performing other actions before returning a view.

Retrieving Cookies in Laravel

Retrieving cookies is done through the incoming HTTP request object.

1. Accessing the Request Object

The Request object provides a convenient way to interact with all incoming request data, including cookies. You can access it via dependency injection or using the global request() helper function.

2. Specifying Cookie Name and Retrieving Value

To retrieve a specific cookie's value, you pass its name to the cookie() method on the Request object.

Route::get('/get-cookie', function () {
    $preference = request()->cookie('my_preference');

    // Conditional Logic: Check if the cookie exists before using it
    if ($preference) {
        return "User's preference: " . $preference;
    } else {
        return "Cookie 'my_preference' not found.";
    }
});

You can also check for the existence of a cookie explicitly using hasCookie():

Route::get('/check-cookie', function () {
    if (request()->hasCookie('user_token')) {
        return 'The user_token cookie exists!';
    } else {
        return 'The user_token cookie does not exist.';
    }
});

Forgetting (Deleting) Cookies

To remove a cookie from the user's browser, you need to create a new cookie with the same name and path, but set an expiration time in the past. Laravel provides a dedicated method for this.

  • Using the forget() method on a Response instance:

    Route::get('/forget-cookie', function () {
    $response = new Response('Cookie forgotten!');
    $response->withoutCookie('my_preference'); // Or ->cookie('my_preference', null, -2628000); for past expiration
    return $response;
});

    The withoutCookie() method is a cleaner way to signal that a specific cookie should be removed.

  • Using the Cookie Facade:

    use Illuminate\Support\Facades\Cookie;

Route::get('/forget-queued-cookie', function () {
    Cookie::forget('session_id');
    return 'Cookie "session_id" forgotten!';
});

    Similar to queue(), forget() on the Cookie facade queues the deletion of a cookie, attaching it to the final response.

Practical Insights and Best Practices

  • Encryption: Remember that Laravel encrypts all cookies by default, which is a significant security feature. This means you don't need to manually encrypt cookie values unless you disable Laravel's default encryption for specific cookies (which is generally not recommended).
  • Purpose-Driven Cookies: Use cookies for non-sensitive data like UI preferences (e.g., dark mode, language) or temporary, non-critical session identifiers.
  • Security: Always use secure and httpOnly flags for production environments, especially for any cookie that could be remotely sensitive. This mitigates risks like Cross-Site Scripting (XSS) and ensures cookies are only sent over encrypted connections.
  • Cookie Policy: Inform users about your cookie usage, especially if you store any personally identifiable information, to comply with privacy regulations like GDPR or CCPA.
  • Session Management: For complex user authentication and session management, rely on Laravel's built-in session system, which uses cookies internally but handles much of the complexity and security for you.

By understanding these methods and best practices, you can effectively manage cookies within your Laravel applications, enhancing user experience and maintaining robust security.

← Previous Article
How do you use cookie script?
Next Article →
Why Do People Hold Back Information?