Sessions or cookies?

Cookies and sessions are two methods for storing persistent data across page loads for a web visitor. Cookies and sessions are quite different and selecting the appropriate method early will prevent you from switching later.

Cookies

• Cookies are stored on the client side (in the visitor's browser).
• Cookies are not safe: it's quite easy to read and write cookie contents.
• When using cookies, you have to notify visitors according to european laws (GDPR).
• Expiration can be set, but user or browser can change it.
• Users (or browser) can (be set to) decline the use of cookies.

Sessions

• Sessions are stored on the server side.
• Sessions use cookies (see below).
• Sessions are safer than cookies, but not invulnarable.
• Expiration is set in server configuration (php.ini for example).
• Default expiration time is 24 minutes or when the browser is closed.
• Expiration is reset when the user refresh or load a new page.
• Users (or browser) can (be set to) decline the use of cookies, therefore sessions.
• Legally, you also have to notify visitors for the cookie, but the lack of precedent is not clear yet.

The appropriate choice: don't trust user input!

Sessions use a cookie! Session data are stored on the server side, but a UID is stored on client side in a cookie. It allows the server to match a given user with the right session data. UID is protected and hard to hack, but not invulnarable. For sensitive actions (changing email or resetting password), do not rely on sessions neither cookies : ask for the user password to confirm the action.

Sensitive data should never be stored in cookies (emails, encrypted passwords, personal data ...). Keep in mind the data are stored on a foreign computer, and if the computer is not private (classroom or public computers) someone else can potentially read the data.

Remember me data must be stored in cookies, otherwise data will be lost when the user closes the browser. However, don't save password or user personal data in the remember me cookie. Store user data in database and link this data with an encrypted pair of ID / key stored in a cookie.

It you red the previous recommandation, the choice between cookies vs sessions must be directed by the following question :

Must persistent data be keeped when the user closes the browser ?

• If the answer is yes, use cookies.
• If the answer is no, use sessions.

See also

• Add icons on your web pages
• 3D image carousel in pure JavaScript and CSS
• Draw a circle in a square in pure CSS with ::before
• CSS color table
• CSS styles for Rainbow code highlighter
• How to detect ad blockers on web sites?
• HTML drop-down list of citizenships.
• HTML five stars ranking
• How Bézier curves are described in SVG paths
• How to check if a number is prime in JavaScript
• How to get list of subdirectories in PHP
• How to automatically scroll to the bottom of the page in Google Chrome
• How to send dynamic data using Ajax?
• How to slugify a string in JavaScript?
• How to slugify a string in PHP?
• How to sort a multidimensional array in PHP?
• In PHP, how to convert a date in French?
• Levenshtein distance in mySQL
• List of supported languages by Prism syntax highlighter
• Nice HTML checkbox
• PHP array of countries and citizenships.
• Pure CSS loader
• Replace HTML checkbox with images
• Simple SSE in PHP

---