Page 1 of 1

Difference Between Sessions and Cookies

Posted: Fri Jun 16, 2006 8:51 am
by Bigun
I'm getting to the point of my site creation where the main page will customize itself to what settings the user specifies.

I've been reading over sessions (http://www.zend.com/zend/tut/session.php) and cookies (http://www.zend.com/zend/tut/feedback.php).

It seems the sessions are nothing more than glorified cookies. Is there a defacto standard on which one to use on a fully functional site? Is there much of a difference between the two?

Posted: Fri Jun 16, 2006 9:05 am
by TheMoose
To an extent, sessions are basically cookies that reside on the server instead of the client. In this manner, it is safer to use sessions as you don't have to worry about whether the client has cookies enabled or not.

To my knowledge there is no standard as to which you use, it's more dependent upon the usage of your site.

Posted: Fri Jun 16, 2006 9:13 am
by Bigun
Then... is there much point in me learning about cookies before I learn about sessions?

Posted: Fri Jun 16, 2006 9:14 am
by feyd
Cookies have a set limit to how much information can be kept in them, sessions do not. Sessions remain available as long as the user hasn't closed their browser (ignoring SessionSaver et al here.)

You need to take great care in what you put in either however unless you're on a dedicated host (or sandboxed like environment.) For different reasons however. Cookies can be manipulated by the user. If you don't validate and verify information given by the cookie you may "accidentally" give a user administrative powers if they change X to Y. On shared hosts, the session directory is often the same for all users. This also means that any information you store in the session can be read by anyone else on the server. Even changing the location of the directory sessions are saved on a shared host often isn't the best idea. Afterall, you can't have PHP be the owner and it's more difficult to deal with if the directory is your user. So in the end, on shared hosts, I recommend storing session data, sensitive or not, in a database.

Posted: Fri Jun 16, 2006 9:16 am
by TheMoose
Is there a point to learning about cookies? Yes. Should you learn cookies before sessions? Doesn't matter. They effectively work the same in programming logic, the only difference being setting an expiration date to the cookie. Cookies are great for remembering settings or user-specific data multiple times even after the user leaves the site and comes back to it long after that specific session has been destroyed.