I am working on the development of a website and the time has come to start working with cookies.
Currently, I use sessions for user registration, but I'm wondering:
What are the differences between sessions and cookies?
What are their advantages and disadvantages, can you do the same with both?
Are there differences in terms of security?
Mainly, one of the biggest differences is that the information when you store it with one
sessionis saved on the server side and the information when you save it with onecookieis saved on the client side.Also, sessions are destroyed when you close the browser (or when you manually destroy them) while cookies remain for a certain time in the browser (which can be several weeks or even months).
Therefore, it can be said that the
sesionesare safer than thecookies.Although they may look similar, they serve different functions and are complementary, you should not be limited to using one or the other.
SESSIONS :
The idea of sessions is to offer persistence to certain data across subsequent requests .
They allow user information to be stored individually, during the session. The session identifier that indicates to PHP whether or not a session exists is sent to the browser through Cookies by default, this identifier is also used to retrieve the session data. Session information is stored by default in a file at the path set in the session.save_path environment variable .
The maximum time of a session is determined by the environment variable session.gc_maxlifetime and its default value is 1440 seconds (24min). That is, if in that time no http request has been received that contains the cookie with the session id, it will be proposed to the garbage collector, on the other hand, the sessions can be eliminated manually . You could also easily remove all sessions, ie from all users, by removing all session files in the directory defined by session.save_path .
COOKIES
The idea of cookies is to offer persistence to certain data throughout the lifetime of the cookie .
The current operation of cookies is defined in RFC 6265 of 2011.
Cookies allow information to be stored in the browser through name=value data pairs , these data are sent to the server in each request.
Cookies are part of the HTTP headers, and these are used to create or modify them normally.
The lifetime of a cookie can be set when creating it by defining the Max-Age attribute, if this attribute is not present the duration of the cookie will be until the browser is closed. On the other hand, browsers may not respect the time set for the cookie. There is no maximum time limit set, between quotes " it can last as long as we want ".
Cookies are not recommended to store sensitive information since it is information sent by the client (and can be altered) and any external data must always be treated with suspicion.
Differences between cookies and sessions :
Cookies They are executed and created on the client side and can live for a long time in the user's browser, for example 1 year. The only bad thing is that they can be easily manipulated by someone with knowledge of javascript, without your consent.
Sessions They are executed on the server side, they are more secure than cookies since they cannot be manipulated with javascript on the client side, and the life of a session is until the user closes the browser, for example " Chrome ", " explorer ".
The 2 are used for different things, for example if you want a user to log in and even if they turn off their computer you want them to remain logged in you can use
cookies, but if you only want the session to last as long as they are inside the site you can do it withsesionesno problem.I hope it helps you make a decision.