What is the difference between Sessions and Cookies in PHP?

A cookie is a bit of data stored by the browser and sent to the server with every request.

A session is a collection of data stored on the server and associated with a given user (usually via a cookie containing an id code)

A session is a chunk of data maintained at the server that maintains state between HTTP requests. HTTP is fundamentally a stateless protocol; sessions are used to give it statefulness.

A cookie is a snippet of data sent to and returned from clients. Cookies are often used to facilitate sessions since it tells the server which client handled which session. There are other ways to do this (query string magic etc) but cookies are likely most common for this.

Cookies are used to identify sessions. Visit any site that is using cookies and pull up either Chrome inspect element and then network or FireBug if using Firefox.

You can see that there is a header sent to a server and also received called Cookie. Usually it contains some personal information (like an ID) that can be used on the server to identify a session. These cookies stay on your computer and your browser takes care of sending them to only the domains that are identified with it.

If there were no cookies then you would be sending a unique ID on every request via GET or POST. Cookies are like static id's that stay on your computer for some time.

A session is a group of information on the server that is associated with the cookie information. If you're using PHP you can check the session.save_path location and actually "see sessions". They are either files on the server filesystem or backed in a database.

The main difference between a session and a cookie is that session data is stored on the server, whereas cookies store data in the visitor’s browser.

Sessions are more secure than cookies as it is stored in server. Cookie can be turned off from browser.

Data stored in cookie can be stored for months or years, depending on the life span of the cookie. But the data in the session is lost when the web browser is closed.

Cookies are stored in browser as a text file format.It stores limited amount of data, up to 4kb[4096bytes].A single Cookie can not hold multiple values but yes we can have more than one cookie.

Cookies are easily accessible so they are less secure. The setcookie() function must appear BEFORE the tag.

Sessions are stored in server side.There is no such storage limit on session .Sessions can hold multiple variables.Since they are not easily accessible hence are more secure than cookies.

Session

Session is used for maintaining a dialogue between server and user. It is more secure because it is stored on the server, we cannot easily access it. It embeds cookies on the user computer. It stores unlimited data.

Cookies

Cookies are stored on the local computer. Basically, it maintains user identification, meaning it tracks visitors record. It is less secure than session. It stores limited amount of data, and is maintained for a limited time.

One part missing in all these explanations is how are Cookies and Session linked- By SessionID cookie. Cookie goes back and forth between client and server - the server links the user (and its session) by session ID portion of the cookie. You can send SessionID via url also (not the best best practice) - in case cookies are disabled by client.

Did I get this right?

Cookie

• is a small amount of data saved in the browser (client-side)

• can be set from PHP with setcookie and then will be sent to the client's browser (HTTP response header Set-cookie)

• can be set directly client-side in Javascript: document.cookie = 'foo=bar';

• if no expiration date is set, by default, it will expire when the browser is closed.
  Example: go on http://example.com, open the Console, do document.cookie = 'foo=bar';. Close the tab, reopen the same website, open the Console, do document.cookie: you will see foo=bar is still there. Now close the browser and reopen it, re-visit the same website, open the Console ; you will see document.cookie is empty.

• you can also set a precise expiration date other than "deleted when browser is closed".

• the cookies that are stored in the browser are sent to the server in the headers of every request of the same website (see Cookie). You can see this for example with Chrome by opening Developer tools > Network, click on the request, see Headers:

  

• can be read client-side with document.cookie

• can be read server-side with $_COOKIE['foo']

• Bonus: it can also be set/get with another language than PHP. Example in Python with "bottle" micro-framework (see also here):

  from bottle import get, run, request, response
  @get('/')
  def index():
  if request.get_cookie("visited"):
  return "Welcome back! Nice to see you again"
  else:
  response.set_cookie("visited", "yes")
  return "Hello there! Nice to meet you"
  run(host='localhost', port=8080, debug=True, reloader=True)
  

Session

• is some data relative to a browser session saved server-side

• each server-side language may implement it in a different way

• in PHP, when session_start(); is called:

  • a random ID is generated by the server, e.g. jo96fme9ko0f85cdglb3hl6ah6
  • a file is saved on the server, containing the data: e.g. /var/lib/php5/sess_jo96fme9ko0f85cdglb3hl6ah6

  • the session ID is sent to the client in the HTTP response headers, using the traditional cookie mechanism detailed above: Set-Cookie: PHPSESSID=jo96fme9ko0f85cdglb3hl6ah6; path=/:

    

    (it can also be be sent via the URL instead of cookie but not the default behaviour)

  • you can see the session ID on client-side with document.cookie:

    

• the PHPSESSID cookie is set with no expiration date, thus it will expire when the browser is closed. Thus "sessions" are not valid anymore when the browser is closed / reopened.

• can be set/read in PHP with $_SESSION

• the client-side does not see the session data but only the ID: do this in index.php:

  <?php
  session_start();
  $_SESSION["abc"]="def";
  ?>
  

  The only thing that is seen on client-side is (as mentioned above) the session ID:

  

• because of this, session is useful to store data that you don't want to be seen or modified by the client

• you can totally avoid using sessions if you want to use your own database + IDs and send an ID/token to the client with a traditional Cookie