hello folks,
I went through some of the login and logout scripts through Google.. some articles used cookie and others used sessions..

Now my basic question is whether cookie and sessions are same?if not, how they differ?
When and where to use cookie and where to use sessions..

I am totally confused... :(

Please help

they are not the same, though they provide similar functionality. Sessions are more secure, the info contained is stored on the server -- not accessible by the user. Sessions also defeat load balancing schemes (important for a large site with lots of servers). Sessions take up memory and (if php/apache) disk space on the server. Important to note that for sessions to work, cookies must be supported by the client and one cookie is set to maintain the session. This cookie can be impersonated, so sessions alone are not "totally" secure.

Cookies on the other hand, store all of their data on the client. No web server memory or storage space used to store. Web farm scalability is not impacted. Sensitive information should never be stored in cookies as they can be easily accessed and read and even modified or spoofed by the client.

The basic difference is where the data is stored for things like login status, user name, access privileges, etc. that you might want to track for each logged in user. With a cookie-based approach, everything would be stored on the user's PC as one or more cookies. With sessions, everything is stored in a file on the server (and so is not constantly being sent back and forth across the network for each page request) and only one value, the user's current session ID, is transmitted as a cookie.

hi russeell,
thanks for the information...So to make sessions work we need to have cookie enabled in client. sessions alone are not "totally" secure.
How to make more secure then..
Sensitive information should never be stored in cookies as they can be easily accessed and read and even modified or spoofed by the client.

is it possible to encrypt cookie content..
And how to check for cookie enable in client browser..

Thanks

It is possible to run sessions without cookies by activating [b]session.use_trans_sid[/p] in your php.ini, but that then means the session ID is added to each URL during the session, making it easier for the user to intentionally or accidentally "spoof" a session ID.

Nogdog,
that means session ID for each user will be stored at client side as cookie and whenever client makes request for some page ,the session ID from client cookie will be sent and compared with session stored at server side and page is processed accordingly.. Am I right

Yep.

ok guys.. thanks for ur help.. :)

Now i got some idea.. I try learn to more about this..

Thanks once again

Further comments on this topic are welcome

I like to use sessions more, the chance that they are going to be spoof'd is low, if the user wants to have a remember function then use cookies. Sessions are faster and the user must accept the cookies to work.

I like to use sessions more, the chance that they are going to be spoof'd is low, if the user wants to have a remember function then use cookies. Sessions are faster and the user must accept the cookies to work.

Thanks for the suggestion :)