Differences Between Sessions & Cookies

@developer_webApr 21.2021

Folks,

Few years back, 5 or so, I learnt about the php sessions & cookies. Mostly used the former. Now revising on the latter. I have forgotten the real differences between the two apart from former holds user data on server while latter on user browser.
But reading back on Sessions, I am reminded about SID. That gets placed on user side. So, how is it any different than the cookie that also gets placed on user side ?
So, with the cookie all variables datas are placed on user side while with the session only the SID ? And for this the session is a big deal because only the SID gets sent back and forth to server & browser thus eating little bandwidth while with cookies all vars data get sent back & forth to/from browser/server thus draining bandwidth ?
Anyway, tutorials say users, like hackers, can easily change cookie data on their side while they cant change session data that is on serverside. But if they change the SID (that represents Account Holders’ Usernames) that is on their clientside then they will trick the server to show personal data of other members of the website. personal data that session variables usually hold. Right ?
Why do I get the feeling that, you will say the SID is unique and even though it sort of represents Usernames of membership site’s Account Holders, the SID will be randomly created following no rules or formula, that if decoded, the username won’t be found ? Or, did I come close to what you wanted to say ? Lol!

to post a comment

PHP

14 Comments(s) _↴

@johncarryApr 22.2021 — #Cookies and Sessions are used to store information. Cookies are only stored on the client-side machine, while sessions get stored on the client as well as a server.

@developer_webauthorApr 22.2021 — #Yes, I know. Thanks folks.

But how does the session save server bandwidth over the cookie that is significant in amount or quantity ?

@NogDogApr 22.2021 — #> @developer_web#1630726 But how does the session save server bandwidth over the cookie that is significant in amount or quantity

That has nothing to do with if/when you use sessions/cookies, as far as I'm concerned. It has to do with how much control and/or security you want over the persistent data. (Cookies can be modified by a knowledgeable user as much as they desire, while session data resides on the server and is not accessible to the end user.)

@developer_webauthorApr 23.2021 — #@NogDog#1630750

You know I wanted to track what users search on my website.

Intend to let users open accounts and then site search. That way, I can log what user is using what keywords and clicking which links and viewing which of my pages.

But, let us say, a non-member, who bothers not to open any account. Let us say, he is a "guest" visitor and not a "member" visitor. I still want to be able to track what keywords he site searches and what links he clicks so I can collect the links anchors into my "clicked keywords" (keywords that generated link clicks) mysql tbl. I was planning on tracking the guests via cookies.

As to track through sessions, they must open an account by submitting Username, Password, Email, etc.

But then I thought: Why only use sessions when users login to their accounts ?

Why not use still sessions and track and log the guests too ?

Ok. So, tutorials always teach about sessions that we must add them when users login to their accounts but php does not restrict starting sessions only when member users have logged into their accounts. I mean after all, pages cannot be part of an account unless the session is started. Right ?

I can start the session anytime by naming the session under the guest's ip and start tracking the guest aswell as log their activities under their IPs (instead of their Usernames). The "IP" session can count as their "account" (IP account).

Technically that can be done. Right ? And I won't face any technical or any other forms of trouble. Correct ? I mean, I can check every IP that is on my website and start a session for each new IP that drops to my website. Walla! I still make use of the session and track my guest visitors regardless of whether they open any member accounts on my site or not. Yes ? No need to use the risky Cookies here. Yes ?

@tome1122Apr 23.2021 — #Cookies and Sessions are used to store information. Cookies are only stored on the client-side machine, while sessions get stored on the client as well as a server.

@NogDogApr 23.2021 — #@tome1122#1630778

Please do not just copy/paste other people's replies, or you will be banned.

@shahzadjamilApr 24.2021 — #Cookies and Sessions are used to store information. Cookies are only stored on the client-side machine, while sessions get stored on the client as well as a server. A session creates a file in a temporary directory on the server where registered session variables and their values are stored.

@VITSUSAApr 27.2021 — #@shahzadjamil#1630802 I agree with shahzadjamil, both are used to store information like sessions get stored on the client as well as a server data but Cookies are only stored on the client-side machine,

@ellafellMay 04.2021 — #**Cookies**

A cookie is a small file with a maximum size of 4KB that the web server stores on the client computer. Once a cookie has been set, all page requests that follow return the cookie name and value. A cookie can only be read from the domain that it has been issued from. For example, a cookie set using the domain www.guru99.com cannot be read from the domain career.guru99.com. Most of the websites on the internet display elements from other domains such as advertising. The domains serving these elements can also set their own cookies. These are known as third-party cookies. A cookie created by a user can only be visible to them. Other users cannot see its value. Most web browsers have options for disabling cookies, third-party cookies, or both.

**Session**

A session is a global variable stored on the server. Each session is assigned a unique id which is used to retrieve stored values. Whenever a session is created, a cookie containing the unique session id is stored on the user’s computer and returned with every request to the server. If the client browser does not support cookies, the unique session id is displayed in the URL. Sessions have the capacity to store relatively large data compared to cookies.

The session values are automatically deleted when the browser is closed. If you want to store the values permanently, then you should store them in the database.

**KEY DIFFERENCE**

- Cookies are client-side files that contain user information, whereas Sessions are server-side files that contain user information.

- Cookie is not dependent on the session, but Session is dependent on Cookie.

- Cookie expires depending on the lifetime you set for it, while a Session ends when a user closes his/her browser.

- The maximum cookie size is 4KB whereas, in session, you can store as much data as you like.

- Cookie does not have a function named unsetcookie() while in Session you can use Session_destroy(); which is used to destroy all registered data or to unset some

@developer_webauthorMay 04.2021 — #Cheers ellafell!

@developer_webauthorMay 04.2021 — #@ellafell#1631195

Cheers ellafell!

@carla_rogersMay 05.2021 — #> @developer_web#1630775 Ok. So, tutorials always teach about sessions that we must add them when users login to their accounts but php does not restrict starting sessions only when member users have logged into their accounts. I mean after all, pages cannot be part of an account unless the session is started. Right ?

Absolutely correct

> @developer_web#1630775 I can start the session anytime by naming the session under the guest's ip

Yes you can. Some IPs are not unique to a single user, but most are.

There are ips that are not even close to unique to a user. VPNs and proxy servers are the reason.

The basic thing you are talking about is identifying someone when they are not explicitly telling you who they are. Perfect solution is impossible, because every solution has situations where it won't work. That means the best solution is to use several methods, because in cases where one approach does not work, another still might.

People running through VPNs to mask their IPs will have IPs tied to the VPN, not the user. You will find a relatively small number of IPs that a relatively large number of people use. That scenario will not work with IP the way you are talking.

So, if you put cookies on browsers and track by IP, you can look in your log for IPs that have a lot of different cookies associated with them. In those cases, you would have to rely on the cookie instead of the IP to id your separate users.

People in a household not using a VPN all will have the same IP. If there is only user per household for your site, then that won't matter.

There Was A Silver Bullet

Most browser installations have a unique fingerprint that can be read with javascript. Some browsers, especially Brave Browser Nightly, have a way of blurring and changing the fingerprint so you cannot identify unique browsers. The blurring happens when the browser shuts down. In other words the fingerprint stays the same until the browser is restarted. The next time you see that browser, you will have no way to know it had been to your server before. As of a few months ago, you could use fingerprints with perfect reliability unless the browser is Brave Browser nightly with fingerprint masking enabled.

> @developer_web#1630775 Technically that can be done. Right ? And I won't face any technical or any other forms of trouble. Correct ? I mean, I can check every IP that is on my website and start a session for each new IP that drops to my website. Walla! I still make use of the session and track my guest visitors regardless of whether they open any member accounts on my site or not. Yes ? No need to use the risky Cookies here. Yes ?

To an extent.

> @developer_web#1630775 I can start the session anytime by naming the session under the guest's ip and start tracking the guest aswell as log their activities under their IPs (instead of their Usernames). The "IP" session can count as their "account" (IP account).

This all is 100% true

Whenever someone hits your server who is not logged in, you can put a cookie onto their browser with a unique value. If they come back before the the cookie expires, or is removed from their browser, you can spot that.

You can identify browsers by their fingerprint. Browser fingerprints are unique to the device they are installed upon.

@cmswebsiteservicessMay 05.2021 — #**Key Difference between session and cookies**

- Cookies are client-side files that contain user information, whereas Sessions are server-side files that contain user information.

- A cookie isn't keen on a session, but the Session depends on Cookie.

- A cookie expires counting on the lifetime you set for it, while a Session ends when a user closes his/her browser.

- The maximum cookie size is 4KB whereas, in session, you'll be able to store the maximum amount of data as you wish.

- The cookie doesn't have a function named unset cookie() while in Session you'll use Session_destroy(); which is employed to destroy all registered data or to unset some

@ravikumar11May 05.2021 — #Both Cookies and Sessions are used to store information. Key differences between Session and Cookies is that Cookies are only stored on the client-side machine, while sessions get stored on the client as well as a server.

Also in #PHP _↴

ImageCreateFromBMP return back image please help PHP & Paypal Flow Script not displaying, Ideas anyone?

Success!

Help @developer_web spread the word by sharing this article on Twitter...

Tweet This

Differences Between Sessions & Cookies

14 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Differences Between Sessions & Cookies

14 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

14 Comments(s) _↴

Also in #PHP _↴