$ _SESSION v。$ _COOKIE

Question

I learned about $_SESSION about several weeks ago when creating a login page. I can successfully login and use it with variables. Currently I am trying to understand $_SESSION and $_COOKIE . Please correct me if I am wrong, I can use $_SESSION when logging in and moving around pages. With $_COOKIE , it is used to remember when I last visit and preferences.

Another thing involving cookies is that when websites use advertisements (for example: Google AdSense), they use the cookies to track when visitor click on a advertisement, right?

I can use both ( $_SESSION & $_COOKIE )? I read somewhere that you can store the session_id as value for the cookie.

Also, I read about security which let to me finding this: What do I need to store in the php session when user logged in? . Is using session_regenerate_id good for when a user comes back to the site?

And this: How to store a cookie with php involving uniqid .

For those wanting to know about the login, I use email and password. That way the user can be able to change their username.

I look forward to learning more about these two from anybody who would like to share their knowledge about it. If I asked too many question, you can just answer the one that you have more experience with.

If you need more information, just ask since I might have forgotten to include something.

Thank You.

---

Found this: What risks should I be aware of before allowing advertisements being placed on my website?

Answer 1

In simple terms, $_SESSION and $_COOKIE are different. Both are php globals but cookies are used without a language limitation. $_SESSION is all about storing the data in the server while storing the session ID as a cookie. $_COOKIE is the cookies that browser sends to the server. This is the major difference. Sessions don't work if the client browser has cookies disabled.

- Security -

If you checked request headers that your browser sends, you will notice that each request has cookie information in it. They can be tracked by snipping your network communication. Anyone with a better tools can edit cookie data. never use cookies to store passwords! If you use sessions, passwords are in the server and only the session id cookie will stored be in the client, reducing the security problem. Chuck Norris still can hijack a session.

- Performance -

If you store 5 cookies in the browser with 200 bytes in it, that cost ~1 KB of data on each and every request no matter if it's a jpg file or a page that actually needs the cookie information. So this directly affects how fast your site can perform to the end user.

if you use sessions, server has this 1 KB data while the client sends the session ID in each page request. You can be clever by shifting static files to another cookie-less domain.

- Lifetime -

Sessions gets cleared on timely basis. So if you want to save something for a long time, use cookies instead. "remember me" functionality of most sites works this way (still, it doesn't store the password. Just the session information - not to confuse with session ID).

Bottom line, sessions and cookies are different types. session is relatively secure and server side storage. gets cleared often. Cookies can have a larger lifespan but it affects performance (not CPU/RAM -- load times) unless you don't keep that in mind. It's extremely strange if there is a reason to store 1 KB as cookies though.

Never trust user input that comes through $_GET/POST . Do the same care for $_COOKIE as well. And there is session hijacking. Someone can guess someone else's session ID although it's nearly impossible to do. So use some validation at the server side first.