Installation with Composer
composer require polymorphine/headers
- Instantiate a cookie builder using
ResponseHeaders
context:Alternatively, instantiating$headers = new ResponseHeaders(); $cookieSetup = new CookieSetup($headers);
CookieSetup
is possible withResponseHeaders
method:$cookieSetup = $context->cookieSetup();
- Configure cookie with array of its directives/attributes
(see
CookieSetup::directives()
method):Modifying setup object is also possible with its builder methods:$cookieSetup->directives([ 'Domain' => 'example.com', 'Path' => '/admin', 'Expires' => new DateTime(...), 'MaxAge' => 1234, 'Secure' => true, 'HttpOnly' => true, 'SameSite' => 'Strict' ]);
$cookieSetup->domain('example.com') ->path('/admin') ->expires(new DateTime(...)) ->maxAge(1234) ->secure() ->httpOnly() ->sameSite('Strict');
- Instantiate
Cookie
type object with its name:$cookie = $cookieSetup->cookie('MyCookie');
- Send value:
or order to revoke cookie, so that it should not be sent with future requests:
$cookie->send('value');
Each cookie can send/revoke header only once$cookie->revoke();
Directives are used according to RFC6265
section about Set-Cookie header attributes (except relatively new SameSite
directive). Their
description might also be found at Mozilla Developer Network.
Concise description with additional class logic is explained in docBlocks of mutator methods
of CookieSetup
class.
Here are some class-specific rules for setting those directives:
- Empty values and root path (
/
) might be omitted as they're same as default. SameSite
allowed values areStrict
orLax
, butLax
will be set for any non-empty value given.Expires
andMaxAge
are different ways to set the same cookie's expiry date. If both directives will be passed into constructor ordirectivesArray()
method, last value will be used due to overwrite.
CookieSetup
has two alternative methods creating Cookie
instance: CookieSetup::permanentCookie()
and
CookieSetup::sessionCookie()
.
- Permanent constructor sets long (5 years) expiry values (
Expires
andMaxAge
) - Session constructor sets security directives (
HttpOnly
andSameSite=Lax
)