To create cookies in Laravel, use the cookie() helper or withCookie() method with parameters for name, value, duration, path, domain, secure, and httpOnly flags; 2. Retrieve cookies via $request->cookie('name') or Cookie::get('name'), noting Laravel automatically decrypts cookies set by its system; 3. Delete cookies by sending a past-expiration cookie using Cookie::forget('name') or manually setting a negative expiration time; 4. Queue cookies globally with Cookie::queue() for automatic attachment to the next response and configure encryption exceptions in the EncryptCookies middleware by adding names to the $except array; 5. Follow best practices such as avoiding sensitive data storage, setting appropriate expiration, using HTTPS, and testing with browser tools—Laravel simplifies secure cookie management with Cookie::queue() for setting, $request->cookie() for reading, and Cookie::forget() for deletion, ensuring proper state handling across requests.

Working with cookies in Laravel is straightforward thanks to its clean API and built-in support for secure, encrypted cookies by default. Laravel uses Symfony’s Symfony\Component\HttpFoundation\Cookie class under the hood, but provides easy-to-use helpers for creating, retrieving, and deleting cookies.

Here’s how to work with cookies effectively in Laravel:

1. Creating and Sending Cookies

To send a cookie with a response, use the cookie() helper or withCookie() method on a response instance.

Example: Add a cookie to a response

use Illuminate\Http\Response;

Route::get('/set-cookie', function () {
    return response('Cookie set!')
            ->cookie('user_name', 'JohnDoe', 60); // name, value, duration in minutes
});

This sets a cookie named user_name with value JohnDoe that lasts for 60 minutes.

With additional options:

->cookie('user_name', 'JohnDoe', 60, '/', '.yourdomain.com', true, true)

Parameters:

• name – cookie name
• value – cookie value
• minutes – lifetime
• path – path where cookie is available
• domain – domain (optional)
• secure – only send over HTTPS
• httpOnly – not accessible via JavaScript

You can also use the Cookie facade for more control:

use Illuminate\Support\Facades\Cookie;

$response = response('Cookie set!');
$response->withCookie(cookie()->make('user_name', 'JohnDoe', 60));
return $response;

Or create encrypted cookies (Laravel encrypts cookies by default unless you use cookie()->forever() or unencrypted()):

// Encrypted and queued to be sent with the next response
Cookie::queue('preferences', 'dark_mode', 1440); // queued for 24 hours

2. Retrieving Cookies

Use the Cookie facade or the Request object to read cookies.

From the request:

use Illuminate\Http\Request;

Route::get('/get-cookie', function (Request $request) {
    $name = $request->cookie('user_name');
    return $name ? "Hello, $name" : 'No cookie found';
});

Using the Cookie facade:

$name = Cookie::get('user_name');

?? Note: Laravel decrypts cookies automatically if they were set using Laravel's cookie system. But you can only retrieve cookies set by Laravel if they were encrypted.

3. Deleting Cookies

To delete a cookie, send a cookie with the same name but with a null value and a past expiration.

return response('Cookie deleted')
        ->withCookie(Cookie::forget('user_name'));

Using Cookie::queue():

Cookie::queue(Cookie::forget('user_name'));

Alternatively, manually set an expired cookie:

->cookie('user_name', '', -1) // negative time deletes it

4. Global Cookie Configuration and Queuing

Laravel allows you to queue cookies using Cookie::queue(). This is useful when you want to set a cookie without immediately returning a response.

Cookie::queue('welcome_message', 'Thanks for visiting!', 120);

The cookie will be attached automatically to the next outgoing response.

You can also customize cookie behavior globally in config/session.php and App\Http\Middleware\EncryptCookies.

? By default, Laravel encrypts all cookies via the EncryptCookies middleware (App\Http\Middleware\EncryptCookies). If you need to allow unencrypted cookies (e.g., for JavaScript access), add the cookie name to the $except array:

class EncryptCookies extends BaseEncrypter
{
    protected $except = [
        'tracking_id', // this cookie won't be encrypted
    ];
}

5. Best Practices and Tips

• Use queue() for convenience – avoids manually attaching cookies to responses.
• Avoid storing sensitive data – even though cookies are encrypted, they're still stored on the client side.
• Set appropriate expiration times – don’t keep cookies longer than necessary.
• Use HTTPS in production – especially if setting secure cookies.
• Test cookie behavior – browser dev tools help verify if cookies are set correctly (path, domain, secure flag).

Working with cookies in Laravel is simple and secure by default. Whether you're remembering user preferences, tracking sessions, or handling authentication tokens, Laravel’s cookie layer makes it easy to manage state across requests—just remember to handle encryption and expiration appropriately.

Basically, use Cookie::queue() for setting, $request->cookie() for reading, and Cookie::forget() for cleanup.

The above is the detailed content of How to work with cookies in Laravel?. For more information, please follow other related articles on the PHP Chinese website!