Phalcon - Cookie Management


Cookies also known as browser cookies are small text files stored in the browser. It saves all the information related to user identity. This information is used to validate the users once they browse through different pages.

There are two different types of Cookies −

  • Session Cookies − These type of cookies stay on the browser and retain information until the browser is closed. As soon as the browser is opened, it will be treated as a new session for the same user.

  • Persistent Cookies − It includes a stipulated lifespan and remains in the browser within the given lifespan. Those websites which use persistent cookies keep track of each and every user, even if the browser is closed by the user.

Let us now discuss how cookies work in Phalcon.

Cookies in Phalcon

Phalcon uses Phalcon\Http\Response\Cookies as a global storage for cookies. Cookies are stored in Phalcon while sending a request to the server.

Following is the syntax for setting up a Cookie −


Consider the following example. Using the following code, we will create cookies of the user when the user logs in to the web application.


class UsersController extends \Phalcon\Mvc\Controller { 
   public function indexAction() { 
      if ($this->cookies->has("login-action")) { 
         // Get the cookie 
         $loginCookie = $this->cookies->get("login-action"); 
         // Get the cookie's value 
         $value = $loginCookie->getValue(); 
         time() + 15 * 86400 

The encrypted cookies will be displayed as output.

Displayed Output


Cookie named “loginAction” has been created with value “abc”.

The method “indexAction” checks whether the cookie exists and prints the value accordingly.

Encryption of Cookies

Cookies in Phalcon are encrypted before being sent to the server as a request and decrypted as soon as we get an appropriate response from the server. This assures security of the authorized users.

It is always suggested to avoid storing sensitive data in cookies, despite the functionality of encryption and decryption. The configuration for encryption of cookies is included in services.php file.


   * Enable encryption key for setting values of cookies 

   "cookies", function () { 
      $cookies = new Cookies();  
      return $cookies; 

   * Set encryption key 

   "crypt", function () { 
      $crypt = new Crypt(); 
      $crypt->setKey('AED@!sft56$'); // Use a unique Key!  
      return $crypt; 


  • It is always suggested to use encryption while sending cookies to the server.

  • If encryption is not used, all the internal application will be exposed to the attacker.

  • It is also recommended to store small data and literals in cookies.