I am working on the development of a website and the time has come to start working with cookies.
Currently, I use sessions to register users, but I wonder:
What are the differences between sessions and cookies?
What are its advantages and disadvantages, can you do the same with both?
Are there differences in terms of security?
Even if they look similar they have different functions and are complementary, you should not just use one or the other.
SESSIONS :
The idea of the sessions is to offer persistence to certain data throughout the subsequent requests .
They allow to store user information individually, during the session. The identifier of the session that tells PHP if a session exists or not is sent to the browser using Cookies by default, this identifier is also used to recover the data of the session. The session information is stored by default in a file on the path set in the environment variable session.save_path .
The maximum time a session is determined by the environment variable session. gc_maxlifetime and its default value is 1440 seconds (24min). In other words, if at that time no http request containing the cookie with the session id has been received, it will be proposed to the garbage collector, on the other hand the sessions may be designed manually . They could also easily delete all sessions, ie all users, eliminating all session files in the directory defined by session.save_path .
The idea of coockies is to offer persistence to certain data over time of cookie life .
The actual operation of cookies is defined in RFC 6265 2011.
Cookies allow you to store information in the browser through pairs of data name = value , this data is sent to the server on each request.
Cookies are part of the HTTP headers, and these are used to create or modify them normally.
The lifetime of a cookie can be established when creating it by defining the Max-Age attribute, if this attribute is not present the duration of the cookie will be until the browser is closed. On the other hand, browsers may not respect the time set for the cookie. There is no maximum time limit set, enclosed in quotes " can last as long as we want ".
Cookies are not recommended to store sensitive information since it is information sent by the client (and can be altered) and any external data must always be treated with suspicion.
Mainly, one of the biggest differences is that the information when you store it with a session is saved on the server side and the information when you save it with a cookie is saved on the client side.
In addition, sessions are destroyed when you close the browser (or when you destroy them manually) while cookies remain for a certain time in the browser (which can be several weeks or even months).
Therefore, it can be said that the sesiones are more secure than the cookies .
Differences between cookies and sessions :
Cookies They run and create on the client's side and can live a long time in the user's browser for example 1 year. The only bad thing is that they can be easily manipulated by someone with knowledge of javascript, without your consent.
Sessions They run on the server side, they are more secure than cookies because they can not be manipulated with javascript on the client side, and the lifetime of a session is until the user closes the browser, for example " Chrome "," Explorer ".
The 2 are used for different things, for example if you want a user to log in and even turn off your computer you want to continue your session you can use cookies , but if you only want the session to last as long as you are within the site you can do it with sesiones without problem.
I hope it will help you make a decision.