php - What does "the value of the cookie is automatically URLencoded when sending the cookie, and automatically decoded when received" mean?

Question

While learning the concept of Cookies in PHP, I come across the following statement from w3schools PHP Tutorial:

The value of the cookie is automatically URLencoded when sending the cookie, and automatically decoded when received (to prevent URLencoding, use setrawcookie() instead)

I did not get the meaning of this statement. I have following doubts regarding the above statement :

1. From where the cookie is being sent to whom and at where the cookie is being received from whom?
2. What actually does happen by means of "Value of the cookie is automatically URLencoded when sending the cookie, and automatically decoded when received"?
3. What role does setrawcookie() play? I mean what does it actually do?

Following is the code I tried for understanding the concept of cookie :

<?php
  $cookie_name  = "user";
  $cookie_value = "John Doe";
  setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); 

---

 <?php
   if(!isset($_COOKIE[$cookie_name])) {
     echo "Cookie named '" . $cookie_name . "' is not set!";
   } else {
     echo "Cookie '" . $cookie_name . "' is set!<br>";
     echo "Value is: " . $_COOKIE[$cookie_name];
   }

Would someone please clear my queries with reference to the above code?

Answer 1

Http cookies are headers that are transferred between the client (the browser), and the webserver.

When you use setcookie, what you are doing is instructing the PHP interpreter to inject a header in its response with this format:

Set-Cookie:name=value

That cookie will be stored by the browser, and returned by it in future requests (to the same host) in the Cookies request header like this:

Cookie:name=value;cookie2=value;cookie3=value

Normally, when transferring this you should urlencode any special characters. Let's say that I wan to specify a cookie named "operator" with a value of ">", then I should emit this header:

Set-Cookie:operator=%3E

When it says that the value is automatically urlencoded, is saying that you don't have to worry about that. You can simply do:

setcookie('operator', ">");

And PHP will handle the urlencoding directly, producing the correct header.

On the server side, you'll receive cookies in the $_COOKIES superglobal, and in the same way that happens with $_GET and $_POST, values will be automatically urldecoded for you. So if the client returns the previously set cookie %3E, you'll see: > in your code.

If you use your browser inspector, you can see the relevant headers on any request-response. E.g.:

request (returning cookie)

response (setting cookie)

setrawcookie, does the same, but you have to urlencode on your own. From the docs:

setrawcookie() is exactly the same as setcookie() except that the cookie value will not be automatically urlencoded when sent to the browser.

More likely than not, you won't have any reason to ever use setrawcookie directly.