Write For Us
php
session
cookies

Cookies vs. sessions

Viewed   162 times

I started using PHP a couple of months ago. For the sake of creating a login system for my website, I read about cookies and sessions and their differences (cookies are stored in the user's browser and sessions on the server). At that time, I preferred cookies (and who does not like cookies?!) and just said: "who cares? I don't have any good deal with storing it in my server", so, I went ahead and used cookies for my bachelor graduation project. However, after doin' the big part of my app, I heard that for the particular case of storing user's ID, sessions are more appropriate. So I started thinking about what would I say if the jury asks me why have you used cookies instead of sessions? I have just that reason (that I do not need to store internally information about the user). Is that enough as a reason? or it's more than that?
Could you please tell me about advantages/disadvantages of using cookies for keeping User's ID?

Thanks for you all in StackOverflow!

 Answers

2

The concept is storing persistent data across page loads for a web visitor. Cookies store it directly on the client. Sessions use a cookie as a key of sorts, to associate with the data that is stored on the server side.

It is preferred to use sessions because the actual values are hidden from the client, and you control when the data expires and becomes invalid. If it was all based on cookies, a user (or hacker) could manipulate their cookie data and then play requests to your site.

Edit: I don't think there is any advantage to using cookies, other than simplicity. Look at it this way... Does the user have any reason to know their ID#? Typically I would say no, the user has no need for this information. Giving out information should be limited on a need to know basis. What if the user changes his cookie to have a different ID, how will your application respond? It's a security risk.

Before sessions were all the rage, I basically had my own implementation. I stored a unique cookie value on the client, and stored my persistent data in the database along with that cookie value. Then on page requests I matched up those values and had my persistent data without letting the client control what that was.

Sunday, August 28, 2022
 
anis_boulila-b1dcd59c0ca5
 
anis_boulila-b1dcd59c0ca5
2

Sessions - in most cases - use cookies to store their session id so its pretty much always a case that you are using both. Most sites will use sessions as cookies are inherently insecure as data is stored at the client side where as session data is stored on a server. It is largely a matter of security and what data you intend to store but since its so easy to modfify cookie data then you should never really trust anything within cookies.

Tuesday, October 4, 2022
 
anfi
 
anfi
1

The cookie should be deleted, because you set his lifetime to 0.

Maybe there is still a firefox-process running, take a look into the taskmanager.

Friday, August 5, 2022
 
iswanto_san
 
iswanto_san
4

You're getting sessions and cookies mixed up. You don't need to put things into the $_COOKIE array. Just use session_start() and then put things into $_SESSION. PHP will automatically then manage the session/cookie for you.

$_COOKIE variables are stored on the users browser, so they aren't secure and can be manipulated by the user => security risk.

$_SESSION variables are stored only on the server. The only thing stored in the cookie is a session_id, so $_SESSION variable can't be manipulated.

Does that make sense?

Saturday, December 3, 2022
 
goodtimeslim
 
goodtimeslim
3

The main difference is that when you use cookie[:foo] = 'bar' the user is able to see the value for the cookie, i.e. 'bar'. When you use session[:foo] = 'bar' the value will be encrypted by rails and stored in the _myapp_session cookie.

You would use the cookie[] format when the information you want to store is not bound to the session, e.g. when the users selects the preferred language.

You would use the session[] format when you want to store information that is related to the current session, e.g. the id of the the user.

Saturday, November 5, 2022
 
justinstolle
 
justinstolle
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
php
session
cookies
 
Share
Related Answers
100
 Sessions VS Temp. Cookies
48
 do sessions work when cookies are disabled?
51
 Do i login using cookies or sessions in a login system?
62
 Why is this combined usage of cookies and sessions working? Confused
63
 Authenticate system without sessions - Only cookies - Is this reasonably secure?
81
 Using PHPUnit to test cookies and sessions, how?
81
 Are cookies and sessions are depend on each other?
57
 Accessing two sessions in given PHP script
87
 PHP sessions or cookies not storing on server. PHP.ini misconfiguration
545
 Scrapy - how to manage cookies/sessions
Top Answers Related To

php,session,cookies

182
 PHP session IDs — how are they generated?
159
 PHP session seemingly not working
69
 PHP session or cookie
161
 How to tell PHP to use SameSite=None for cross-site cookies?
89
 What happens if cookies are disabled?
95
 Is a PHP Session acceptable with the new UK cookie law?
60
 Why is IE7 rejecting session cookies from a page in a frame?
105
 PHP: Setting the session information in a cookie won't be kept after page reloads?
69
 is it possible to set unlimited time for a cookie to a session variable?
90
 Session cookies = cookies?
Write For Us · Blog · Privacy · Faqs · Terms of Use · Contact us ·