Last Updated on August 21, 2021 by Amit

How to set cookies in htaccess

In this post I will show you how we can set an http cookie using a RewriteRule directive in an htaccess or server.config file.
I saw many unanswered and some wrong answered posts on StackOverflow and on other sites so I thought It would be worth writing a post here that can help peope looking for help regarding Htaccess and mod_rewrite cookies.

Setting cookies using mod_rewrite

With RewriteRule directive you can set http cookies the same way you use the directive for rewriting URLs. Cookies are set using [CO] Cookie flag of apache mod-rewrite. The cookies you set via RewriteRule can also be accessed by client or server scripting languages like PHP and JS.

Mod rewrite cookies are mainy used for rewriting requests based on http cookie header.
You often set a mod rewrite cookie to rewrite/direct URLs if a specific cookie exists or based on cookie value .

Let’s start with a basic example first:

RewriteEngine On
RewriteRule (.*) - [CO=user:john]

The rewrite rule above will set cookie named user and as you can see we manually assigned value john to it.
Explanation :

  • The first line “RewriteEngine on” tells server to turn on the engine for rewriting URLs. This setting is disabled by default so you must use this line ones at the top of RewriteRules in htaccess or server.config files.
  • The second line is that does the Rewrite mazic and sets the cookie whenever you request an URI from server.
    RewriteRule (.*) – [CO=user:john]” matches any incoming URIs as the pattern (.*) means to match anything. The hyphen in the Rule’s destination above lets the URI pass through unchanged meaning that if the request is for /file.php only the CO flag will be applied to the URL and there will not be any change in the URL. In most cases when setting cookies by RewriteRule you use as the destination path because we don’t want to rewrite the urls we just want to set a cookie for URLs.
    [CO=user:john]” sets user cookie with value john. You can also use a dynamic value using regex match “$1” or “%1” .

Setting cookies for specific URIs with mod_rewrite

In the basic example above we learned how to set cookies when any URL passes through RewriteRule. You can also set cookies for a specific URI. For example to set cookies only for a single path or file ie /this-file.php you can restrict the pattern of RewriteRule to match only this URI. You just need to write a regular expression pattern to match that particular path.

RewriteEngine On
RewriteRule ^this-file.php$ - [CO=user:john]

This will set the cookie only when you request /this-file.php . This rule example might fail on server.config, add a leading slash in the pattern ie: ^/this-file.php$ to use this in a server.config file.

We use RewriteCond directive to check whether a cookie is set or notset and to test the value of a cookie that is already set. We can also check what value the cookie holds. The following is a basic example of checking whether a cookie is set :

RewriteCond %{HTTP_COOKIE} !^$

In the example above we want to make sure our cookie is set or not empty (!^$) . You can use a RewriteRule bellow this condition so it executes if the condition is met.

In the example bellow, we will redirect /this-file.php to root / if our user cookie is not set.

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !user
RewriteRule ^this-file.php$ / [R,L]

RewriteEngine on
RewriteCond %{HTTP_COOKIE} ^user=john
RewriteRule ^this-file.php$ / [R,L]

The rule above will redirect /this-file.php to / if the cookie user and value john is set.

You can set a specific cookies if it doesn’t exist using the following RewriteRule:

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !^user=john
RewriteRule .* - [CO=user:john,L]

In the example above we first check the HTTP_COOKIE header to ensure that the cookie “user=john” is notset and then we set it via RewriteRule.

By default, mod-rewrite cookies are set for all domains that point to the same document root. You can add an optional perameter domain to the CO flag. To set cookies only for a specific host ie:www.example.com you will use something like the following:

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !^user=john
RewriteRule ^this-file.php$ - [CO=user:john:www.example.com,L]

By default mod-rewrite cookies are set for current session only which means when the browser window is closed the cookies also get destroyed. You can add a lifetime perameter in minutes to CO flag to customise cookies validity.

RewriteEngine on
RewriteRule ^this-file.php$ - [CO=user:john:www.example.com:10,L]

In the example above the user cookie is available only on www.example.com host and it expires after 10 minutes.

Cookies for specific path only

You can make the cookies available for a specific path only. By default mod-rewrite cookies are set for / which means the entire site. To set a specific path you may use :

RewriteEngine on
RewriteRule ^this-file.php$ - [CO=user:john:www.example.com,L]

Setting cookies expire time

You can set how long an http cookie will survive, by default mod-rewrite cookies are set for current browser session only and deleted when we close the browser window. You can add a time perameter to CO flag to extend the cookie validity . Time value is set in minutes.

RewriteEngine on
RewriteRule ^this-file.php$ - [CO=user:john:www.example.com:10,L]

This will set user cookie on www.example.com host with a validity of 10 minutes.

How useful was this post?

Click on a star to rate it!

Average rating 4.3 / 5. Vote count: 285

No votes so far! Be the first to rate this post.