PHP - correctly set cookie parameters (expire) using header() - not set-cookie()

Question

A site we are using is running an older HHVM version. Looking at the documentation of PHP function setcookie(), there is two signatures for parameters.

To summarize the issue why I cannot use setcookie() is because this version does not use the $options array available of PHP7.3. When trying to use some of the alternative solutions by concatenating samesite to path will crash HHVM. Using this alternate method using normal PHP works correctly as expected.

There seems to be a slight difference between HHVM behaviour here with cookies compared to PHP.

So this question is about header() and not about setcookie() because I can't use it, there are slight difference in how HHVM (the version running) handles cookies.

NOTE: This is a Magento 1 site --- and upgrading to HHVM 3.30+ breaks everything so that is also not an option - I have tried this already.

So I managed to set the cookie using header() function by concatenating all the properties.

header('Set-Cookie: frontend=abcdef; expires=188888888; path=/; domain=www.mydomain.com; SameSite=None; Secure');

Result in Response Headers:

frontend=abcdef; expires=188888888; path=/; domain=www.mydomain.com; Secure; SameSite=None

Set-Cookie documentation refers to this:

You may notice the expires parameter takes on a Unix timestamp, as opposed to the date format Wdy, DD-Mon-YYYY HH:MM:SS GMT, this is because PHP does this conversion internally.

Question

• How to correctly set the expires value, as I am creating a raw header instead of using setcookie() the UNIX timestamp will be in the cookie as shown above, in other words setcookie() converts the UNIX timestamp internally...

• I have tried the following as well - but I am not sure this is correct for expires or not: What format is required?

Sample:

php -a

php > $b = 3600 * 24 * 365;
php > $c = time() + $b;
php > echo $c;
1643355613
php > $dt = new DateTime();
php > $dt->setTimestamp($c);
php > echo $dt->format('Y-m-d H-i-s');
2022-01-28 09-40-13

Not entirely sure that format will be correctly used by expires

This question relates to issues about sessions not working in some cases, but I will keep these questions seperate.

Answer 1

This is to answer how to create a raw set-cookie using header() function.

Because setcookie()automatically changes the timestamp into the formatted string, this conversion has to be done ourselves.

The Mozilla Set-Cookie says this:

The maximum lifetime of the cookie as an HTTP-date timestamp. See Date for the required formatting.

The Mozilla Headers Date format shows the format required:

  Date: Wed, 21 Oct 2015 07:28:00 GMT

To create a properly formatted date string for set-cookie using header() function:

// Assume current time + one day
$expires = time() + 60 * 60 * 24;
$dateTime = new DateTime();

// Set the timestamp
$dateTime->setTimestamp($expires);
// Set the timezone using a new DateTimeZone instance
$dateTime->setTimezone(new DateTimeZone('GMT'));
// Print the format.
// This format based on PHP DateTime formats - the 'e' switch adds the time zone at the end.
$format = 'D, d M Y H:i:s e';
$expiresText = $dateTime->format($format);

// Set the raw header with expires text (encode if needed)
header("Set-Cookie: cookieName=cookieValue; expires=$expiresText; samesite=None; Secure");

This should give a set-cookie that has the Date formatted as required.