Cookie Laravel Package

Getting Started

In Laravel apps, you don’t install illuminate/cookie directly—it’s bundled inside laravel/framework. Start by using the framework’s high-level cookie APIs: the Cookie facade or helper. For example, to queue a cookie for the next response:

use Illuminate\Support\Facades\Cookie;

Cookie::queue(Cookie::make('lang', 'en', 1440));

Or attach one to a response explicitly:

return response('Hello')->cookie('seen_tour', 'true', 10080);

All common cookie operations (read/write, encryption, expiration) are handled transparently by Laravel’s EncryptCookies middleware—no setup required.

Implementation Patterns

• Queuing for Decoupling: Use Cookie::queue() in service classes, jobs, or events to set cookies without tight coupling to the response lifecycle. The queued cookies are automatically attached to the outgoing response.
• Automatic Encryption/Decryption: Always use Cookie::get('name') instead of reading $_COOKIE directly. Laravel decrypts encrypted cookies on demand; manual access to $_COOKIE yields raw (and potentially tampered) values.
• Secure Defaults: When creating cookies, rely on Laravel’s sensible defaults—HttpOnly, Secure (when HTTPS is enforced), and SameSite=Lax are applied automatically via config (config/session.php → same_site_cookie and secure).
• Batch Operations: Queue multiple cookies in a loop, or chain them with Cookie::put() (deprecated in favor of queue()/make() but still functional). Avoid mixing queue() and direct cookie() calls on the same response to prevent confusion.
• Integration with Auth/Sessions: User preferences (e.g., theme, language) can leverage cookies, while auth tokens should use sessions—Laravel’s cookie-based sessions are built on top of this package.

Gotchas and Tips

• Encryption ≠ Signing: Encrypted cookies are secure against tampering and reading. Unsigned cookies (via encrypted: false) are not signed—clients can modify them. Never store integrity-critical data in unsigned cookies.
• Middleware Dependency: EncryptCookies middleware must be active (it’s enabled by default in App\Http\Kernel). If disabled, all cookies become unsigned/unencrypted—double-check your middleware stack.
• Queue Timing Matters: Cookies queued after response() creation still work, but queued cookies added after the response is already sent won’t be attached. Queue early in the request lifecycle.
• Testing Pitfalls: Cookie::queue() in tests doesn’t affect the current request’s $_COOKIE superglobal—use Cookie::get() after the response is sent, or assert via $response-> cookies.
• Subtle Domain/Path Defaults: Cookie::make('name', 'value', 60) sets domain to the current host (not root .) and path to /. For subdomain sharing, explicitly set ->withDomain('.example.com').
• Don’t Force standalone: Avoid requiring illuminate/cookie via Composer outside Laravel—it lacks a documented, supported install path. Use symfony/http-foundation if building non-Laravel apps.