Cookies are actually just an extension of the HTTP protocol. Specifically, there are two additional HTTP headers: Set-Cookie and Cookie. The operation of these cookies is best described by the following series of events:
1. Client sends an HTTP request to server.
2. Server sends an HTTP response with Set-Cookie: foo=bar to client.
3. Client sends an HTTP request with Cookie: foo=bar to server.
4. Server sends an HTTP response to client.

Thus, the typical scenario involves two complete HTTP transactions. In step 2, the server is asking the client to return a particular cookie in future requests. In step 3, if the user’s preferences are set to allow cookies, and if the cookie is valid for this particular request, the browser requests the resource again but includes the cookie.

The Set-Cookie header, at a minimum, contains the name and value of the cookie.

For example,
Set-Cookie: foo=bar

Other attributes can be included to modify when the cookie is to be sent in a subsequent request.These optional attributes are as follows:

domain—Restricts requests for which the cookie is sent to those that are within the specified domain or in subdomains.
The default is the domain of the current resource.

expires—A date after which the cookie is no longer valid and should be deleted.
The default is to persist the cookie in memory only, expiring it as soon as the browser ends.

path—Only requests for resources within the specified path include the cookie.
The default is no path restrictions.

secure—An attribute with no value that indicates that the cookie should only be sent in requests sent over a secure connection, such as SSL.

In PHP, cookies sent in the request are made available in the $_COOKIE superglobal array.