Session vs Cookie or cookies and session in php

Complete guide of cookies and session in php




Many New PHP developers are often confused whether to use sessions or cookies for their websites. Both cookies and sessions have their advantages and drawbacks. PHP developer should first understand the differences between each so that he can choose better option according to need.


Sessions are PHP’s built in method for handing cookies. According to, sessions are “a way to preserve certain data across subsequent accesses.”


Whenever PHP creates a new session, it generates a sessionID (session_id())this session id is then either stored on the user’s computer as a cookie or in some cases, attaches itself to the end of each page’s URL as a query string.The actual information stored is not stored on the user’s computer or client machine.PHP stores the information in the session on the server in some kind of database or a text file( you can see this in phpinfo “session.save_handler“).In the background processes on the server, PHP runs a garbage collecting process that destroys all sessions that have been inactive for twenty-four minutes (in phpinfo “session.gc_maxlifetime“)thus, sessions are a way of storing client information on a server.


Every time on client request (values do not necessarily have to be changed) a session, the garbage collector resets its twenty-four minute countdown for deletion.Thus, a user cannot leave a site and come back in an hour or two (time set in php.ini file) and expect the session to still be alive.In addition, a user’s computer deletes all sessionIDs every time the user closes the browser.Thus, the only real advantage of using sessions is that they allow a PHP developer to hide what information is being stored from the users and hackers.However, hackers can hijack sessions with a cookie grabber, so one cannot argue that sessions are much more secure than cookies.

The only security advantage of sessions is that they hide information; thus, if a website stored a user’s (encrypted) password in a cookie and a hacker somehow obtained the cookie, the hacker could run a password cracker(bad software) on the encrypted password to get it, whereas a session hijacker would have only have access to the account, not the encrypted password.PHP developers should use sessions only for things that require the short-term preservation of data.Overall, sessions serve as a short-term method for preserving data across pages while hiding information from users and hackers.


COOKIE defines cookies as “a mechanism for storing data in the remote browser and thus tracking or identifying return users.”

Cookies maintain a set interval of time even if the user closes the browser (unless of course he clears his cookies or it expire). The only disadvantage to using a cookie is that the information is stored locally on the user’s computer in a text file. Therefore, hackers who use cookie stealer can access the information as well as anyone with physical or remote access to the computer’s files, this can be a security threat. However, a well-coded website prevents cookie grabbers from working, and thus eliminates most of the security threat. However, it is important to keep in mind that users can easily change the value of a cookie, so treat anything inside of a cookie as malicious user input. Therefore, PHP developers should use cookies as a long-term solution to preserve data across pages and sessions.


Overall, sessions serve as temporary information holder that can hide information, whereas cookies serve as both a temporary and long-term information holder. After the difference between sessions and cookies is clear, making the right choice for a website is rather simple. Though sessions may seem easier to use than cookies, never doubt the power and ease of using cookies.


Hope this will help 🙂


Do you want to know a quick answer of differences between session and cookie?