Difference Between Sessions and Cookies

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Difference Between Sessions and Cookies

Post by Bigun »

I'm getting to the point of my site creation where the main page will customize itself to what settings the user specifies.

I've been reading over sessions (http://www.zend.com/zend/tut/session.php) and cookies (http://www.zend.com/zend/tut/feedback.php).

It seems the sessions are nothing more than glorified cookies. Is there a defacto standard on which one to use on a fully functional site? Is there much of a difference between the two?
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

To an extent, sessions are basically cookies that reside on the server instead of the client. In this manner, it is safer to use sessions as you don't have to worry about whether the client has cookies enabled or not.

To my knowledge there is no standard as to which you use, it's more dependent upon the usage of your site.
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

Then... is there much point in me learning about cookies before I learn about sessions?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Cookies have a set limit to how much information can be kept in them, sessions do not. Sessions remain available as long as the user hasn't closed their browser (ignoring SessionSaver et al here.)

You need to take great care in what you put in either however unless you're on a dedicated host (or sandboxed like environment.) For different reasons however. Cookies can be manipulated by the user. If you don't validate and verify information given by the cookie you may "accidentally" give a user administrative powers if they change X to Y. On shared hosts, the session directory is often the same for all users. This also means that any information you store in the session can be read by anyone else on the server. Even changing the location of the directory sessions are saved on a shared host often isn't the best idea. Afterall, you can't have PHP be the owner and it's more difficult to deal with if the directory is your user. So in the end, on shared hosts, I recommend storing session data, sensitive or not, in a database.
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

Is there a point to learning about cookies? Yes. Should you learn cookies before sessions? Doesn't matter. They effectively work the same in programming logic, the only difference being setting an expiration date to the cookie. Cookies are great for remembering settings or user-specific data multiple times even after the user leaves the site and comes back to it long after that specific session has been destroyed.
Post Reply