Is it OK to send cookie headers directly with "header()" calls?

Question

Is it OK to send cookie headers directly with header() calls?

I am tinkering with http cookie mechanism in PHP and would like (at least initially) to try the "raw" thing :)

The Brad Christie's answer to "php-how-to-stringify-array-and-store-in-cookie" assumes it is, but is there a somehow official source on the topic (or is it at least a well-known practice)?

Thanks in advance for clarifying the topic.

[EDIT: AN IMPORTANT NOTICE]

An interesting thing I have discovered is that calling header('Set-Cookie: ...'); effectively prevents any cookies previously supplied with setcookie('...'); from being sent, at least on my machine (PHP 5.3.5, Apache 2.2.17, WinXP SP2). Whether this is a feature / bug(?) or a consequence of PHP semantics/rules violation, I don't know.

Analyzing PHP .c sources will possibly bring an answer (one should posibly look into head.c (header(), setcookie(), etc) and mod_php5.c (Apache module) files for that).

Answer 1

IT IS NOT

Please see the "edit" part of the question.

Answer 2

PHP won't care either way. Setting a cookie just means sending the header. There's nothing else involved from PHP's site (unless you're talking about sessions, but apparently you aren't). You can send any raw header you want, PHP won't care. If you send the correct header and the client returns the cookie on the next request, PHP will parse it correctly into the $_COOKIE array. And that's all there is to it.

Answer 3

It's definitely ok. There is no difference between proper cookies sent with raw headers and ones sent via set_cookie().

Answer 4

Considering cookies are just HTTP headers, you can, of course, send them using the header() function.

But this is re-inventing the wheel (and you'll have to deal with all possibilities yourself), as PHP provides the setcookie() function.

Still, if you want to learn how cookies work, why not ?
This can be interesting ;-)