140

What should cookie names look like?

Should they be:

  • lower_case
  • CamelCase
  • Underscore_Camel_Case
  • UPPER_CASE

Or should they be something else?

Emanuil Rusev
  • 34,563
  • 55
  • 137
  • 201

5 Answers5

91

appname_meaningfulname

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
  • 13
    @Emanuil: To distinguish it from all the other cookies generated by other apps on the same domain. – Ignacio Vazquez-Abrams Sep 19 '12 at 20:50
  • 5
    @Emanuil Rusev, browser add-ons sometimes set cookies. I just learned this the hard way when my website picked up a cookie and got the data set by the user's add-on instead of the data set by my site. – lala Jul 01 '13 at 13:24
8

Keep in mind that this cookie is sent with every request, so imho, just use the smallest name you can, and document your code nicely.

MatthieuP
  • 1,116
  • 5
  • 12
  • 1
    This should not be a concern. Giving cookies descriptive names, as suggested in the accepted answer, should be preferred over saving a few bytes in every request (which itself is already ~800 bytes in size). – Blightbuster Sep 19 '22 at 03:14
4

It should be something that avoids naming conflicts with arbitrary _GET and _POST params you might be using, since _REQUEST wraps all three global arrays (!), with precedence depending on how your variables_order setting is set in php.ini. In other words, if you have a _COOKIE named "x" and a querystring param named "x", and you ask for $_REQUEST["x"], you get the cookie value when you might want/expect the GET param. This is especially problematic if your cookies are scoped to your website root "/", and not to the folder where they are consumed.

So I say, two best practices:

  1. make sure you limit scope of your cookies to the path where they are read and written, (third argument of setcookie() method does this)
  2. give your cookies some sort of cookie-specific naming convention. I suggest reverse website, like java namespaces, then ".".{appname}.".".{friendly cookie name camel cased} So, if your site is www.testsite.com, and your app is foo, and your variable is "bar bar bar bar bar barann", it would be "com.testsite.foo.barBarBarBarBarBarann"
sth
  • 222,467
  • 53
  • 283
  • 367
WillieMack
  • 1
  • 1
2

I use whatever style the coding standards for the project call for.

Generally I prefer camelCase for naming schemes, but whichever one pays the bills is the one I'll go with.

zombat
  • 92,731
  • 24
  • 156
  • 164
1

Maybe you won't like my answer:

Don't use your own cookies but store data in server sessions. So you only need one cookie (to reference the session id) and how you name that plays no role.

NineBerry
  • 26,306
  • 3
  • 62
  • 93
  • 11
    That becomes messy with load balancers, as then the session should be stored in a database which isn't on the same host (or possibly even the same datacenter). Sometimes cookies are just fine. – dotancohen Nov 19 '13 at 11:05
  • 1
    @dotancohen can you provide some links regarding the issue you describe? thank you! – Sharky Jul 07 '14 at 10:57
  • 1
    **"Don't use cookies"** sounds a bit puritanical; but I do like this attempt to keep things clean for the user. – Parapluie Apr 27 '17 at 14:28
  • securecookies can be used safely without any server-side session storage. They don't have to be huge (actually there's a limit of 4k which is quite modest) and avoids load-balancers and/or centralized DB lookups. – colm.anseo Mar 11 '19 at 01:33
  • This is brilliant. There are tons of things that are kept in a database, and I don't see many people complaining about that – étale-cohomology Feb 17 '22 at 19:59