When should I use session variables instead of cookies?

Session variables and cookies seem very similar to me. I understand the technical differences, but how do you decide when to use one vs. the other?

• Sessions are stored on the server, which means clients do not have access to the information you store about them. Session data, being stored on your server, does not need to be transmitted in full with each page; clients just need to send an ID and the data is loaded from the server.

• On the other hand, cookies are stored on the client. They can be made durable for a long time and would allow you to work more smoothly when you have a cluster of web servers. However, unlike sessions, data stored in cookies is transmitted in full with each page request.

• Avoid storing data in cookies

  • It can be seen, read and manipulated by the end user, or intercepted by those with nefarious intent. You can't trust any data in cookies, except for the "session_id".
  • It increases your bandwidth, if you add 1k of data per page request per user, that might increase your bandwidth by 10-15%. This is perhaps not costly from a $$ perspective, but it could be from a performance perspective. It effectively would decrease your bandwidth on a per server by 10-15%, i.e., it might cause you to need more servers.

• What you can store in session data depends on the amount of data and number of users you have. no_of_users * size_of_session_data must be less than the free memory available on your server.

• Always use sessions
• Use cookies only if you need longer logged-in sessions - Then add a cookie with an encrypted user ID.

Most of the time, session state is persisted using cookies. So it's not really a question of one or the other, but how to use them together.

Using your framework's session infrastructure may make things easier, but tracking state manually with cookies usually gives you finer grained control. The correct solution depends on what you're trying to accomplish.

Cookies can persist longer than a single session. However, cookies may also be deleted by the user, or you may have a user whose browser does not accept cookies (in which case only a server-side session will work).

Cookies are client-side, and sessions are server-side.

Use cookies for small pieces of data that you can trust the user with (like font settings, site theme, etc.) and for opaque IDs for server-side data (such as session ID). Expect that these data can be lost at any time and they can not be trusted (i.e. need to be sanitized).

Use session data for bigger data chunks (for many systems can store objects, data structures, etc.) and ones you have to trust - like authorization status, etc. In general, use session data for storing larger state data.

You can store things like authorization status in cookies too, if it's needed for GUI, caching, etc. - but never trust it and never rely on it being present. Cookies are easy to delete and easy to fake. Session data is much harder to fake, since your application controls it.

Cookies are sent to the server on every request, so if you plan to store a fair amount of data, store it in a session.

Otherwise, if you are storing small amounts of data, a cookie will be fine.

Any sensitive data should be stored in a session, as cookies are not 100% secure. An advantage of cookies is that you can save memory on your server that would normally be storing session data.

One of the drawbacks of PHP sessions is how session handling works. Specifically, only one process/request can have a session open for writing at a time. Upon

session_start() 

the session file is locked. If more processes come along, the rest pile up and wait their turn.

In other words, if you are using AJAX on a page to update several elements - you do not want the AJAX requests opening up the same session - they will be forced into a queue and if one of those requests get stuck - it will not release the session - resulting in a browser hang where opening up a new tab or window only puts another unfillable request into the queue on the server. Using

session_write_close()

as soon as possible to release the session is a partial work-around.

A long running request with a user getting bored and opening up more windows could have the same browser hanging effect.

I recommend avoiding PHP sessions.

Sessions are stored on the server. If you store something in a cookie, the user's browser sends that information with every request, potentially slowing down your site from the user's perspective. I try to avoid using cookies when I can.

Use sessions only if the data is too big for cookies or if the data is so big that it would decrease the performance if you used cookies.

For example, if you are saving smaller data then the size of a session ID in your cookie, like two login tokens or something similar... Then I don't see why you would use sessions over cookies.

Also note that PHP session files are saved to disk by default, compared to cookies, which are saved only on the client side.

Sessions are stored on the server side. If a visitor stores something in a cookie, the browser will send the user information for every request made.

This tends to consume a lot of servers computer time and slowing the user's experience. Some browsers also do not support cookies giving more advantage to sessions over cookies... I strongly recommend sessions.

This might help: Cookies (php.net)

Your definite Guide

N.B - A cookie is stored on users' browsers, and a session is stored on your hosting server machine.

When to Use

1. Use a cookie when you want your application to remember user's data always, even when they have closed their browsers. E.g whenever you type www.facebook.com it takes you to your account, even when your browser has been closed and re-opened.

   Because any data kept in a session is cleared off once you close your browser.

2. Use a cookie when the user information to be stored is much larger than normal. ... With a session, if you have a larger user base, like Facebook, think of how it will look storing all user sessions on the hosting machine.

3. Use a session when the user information to be stored is not larger than normal, and you don't want the public to have access to your user variables...

Sessions and cookies are not the same at all. Cookies are client side. Sessions are server side. Sessions often (but not necessarily) use cookies to correlate one request with another from the same user to identify that they belong to the same session.

A session is an artificial concept, and HTTP doesn't have that notion. It is created by web servers to help web developers carry information across requests, like user account information, shopping carts, form data, etc. A cookie is carried by standard HTTP headers.

The information you store in a session vs. a cookie is up to you. Typically you put stuff in cookies that you want to persist across sessions after the user closes his/her browser. Maybe remembering authentication tokens to implement "remember me" functionality, or past user activity to personalise his/her experience. Keep this information small and "referential", i.e. it could be just IDs that refer to richer information you store sever side. Remember that what is client side is more vulnerable to malware, so don't store passwords or sensitive information.

Finally, there is also local storage, which you did not mention. This is also client side, but arguably a bit less susceptible to cross-site scripting hacks since, unlike cookies data, it is not automatically sent in the headers.