Get a Pentest and security assessment of your IT network.

Request a quote
Cyber Security

CakePHP Cookies: Setting Response Headers

January 3, 2026

TL;DR

This guide shows you how to set cookies in CakePHP using the Response object, ensuring they are correctly sent as response headers. We’ll cover basic cookie setting and options like expiry dates and paths.

Setting a Basic Cookie

  1. Access the Response Object: In your controller action, get an instance of the Response object.
  2. Use the setCookie() Method: Call the setCookie() method on the response object to create a cookie.

Example:

$this->response = $this->response->withCookie('my_cookie', 'cookie_value');

Setting Cookie Options

You can control various aspects of the cookie using an array of options as the third argument to setCookie().

  1. Expiry Date: Set how long the cookie should last.
  2. Path: Define which paths on your website the cookie is valid for.
  3. Domain: Specify the domain the cookie applies to.
  4. Secure: Ensure the cookie is only sent over HTTPS connections.
  5. HttpOnly: Prevent client-side JavaScript from accessing the cookie (for security).

Example with options:

$options = [
    'expires' => '+1 week',
    'path' => '/',
    'domain' => 'example.com',
    'secure' => true,
    'httpOnly' => true
];

$this->response = $this->response->withCookie('my_cookie', 'cookie_value', $options);

Deleting a Cookie

  1. Set Expiry Date to the Past: To delete a cookie, set its expiry date to a time in the past.

Example:

$options = [
    'expires' => '-1 day',
    'path' => '/', // Must match original path!
    'domain' => 'example.com', //Must match original domain!
];

$this->response = $this->response->withCookie('my_cookie', '', $options);

Checking if a Cookie is Set

  1. Use request()->cookie(): Check for the cookie’s existence in the request object.

Example:

if ($this->request->cookie('my_cookie')) {
    echo 'Cookie is set!';
} else {
    echo 'Cookie is not set.';
}

Important Considerations

  • Path and Domain: Ensure the path and domain options when deleting a cookie match those used when setting it.
  • Security: Always use the secure option for sensitive cookies to protect them during transmission.
  • HttpOnly: Enable httpOnly to prevent cross-site scripting (XSS) attacks from accessing your cookies.
6
Share:
Related posts
Cyber Security

Zip Codes & PII: Are They Personal Data?

January 3, 2026
Cyber Security

Zero-Day Vulnerabilities: User Defence Guide

January 3, 2026
Cyber Security

Zero Knowledge Voting with Trusted Server

January 3, 2026
Cyber Security

ZeroNet: 51% Attack Risks & Mitigation

January 3, 2026