Cookies versus PHP Sessions

Many PHP programmers are often stuck between choosing whether to use sessions or cookies for their websites. Both cookies and sessions have their advantages, and every PHP programmer should understand the differences between each so that he can make the right decision. After all, it is never good to rewrite the backbone of a site because cookies or sessions were more suitable. Generally, sessions serve as temporary information holder, whereas cookies serve as both a temporary and long-term information holder; thus, cookies are usually the better choice for web development.
Sessions are PHP's built in method for handing cookies. Sessions, according to, are "a way to preserve certain data across subsequent accesses." Whenever PHP creates a new session, it generates a session ID. This session id is then either stored on the user's computer as a cookie or, in some cases, attaches itself to the end of each page's URL as a query string. The actual information stored is not stored on the user's computer. Instead, PHP stores the information in the session on the server in some kind of database or a text file. In the background processes on the server, PHP runs a garbage collecting process that destroys all sessions that have been inactive for twenty-four minutes (by default—this value can be changed). Thus, sessions are a way of storing client information on a server.
However, sessions present a few advantages and disadvantages. For instance, every time a PHP script accesses (values do not necessarily have to be changed) a session, the garbage collector resets its twenty-four minute countdown for deletion. Thus, a user cannot leave a site and come back in an hour or two and expect the session to still be alive. In addition, a user's computer deletes all session IDs every time the user closes the browser. Thus, the only real advantage of using sessions is that they allow a PHP programmer to hide what information is being stored from the users and hackers. However, hackers can hijack sessions with a cookie grabber, so one cannot argue that sessions are much more secure than cookies. The only security advantage of sessions is that they hide information; thus, if a website stored a user's (encrypted) password in a cookie and a hacker somehow obtained the cookie, the hacker could run a password cracker on the encrypted password to decipher it, whereas a session hijacker would have only have access to the account, not the encrypted password. PHP programmers should use sessions only for things that require the short-term preservation of data, such as a CAPTCHA script or a shopping cart. PHP programmers should not use sessions for things such that require the long-term preservation of data, such as login pages or user preferences. Overall, sessions serve as a short-term method for preserving data across pages while hiding information from users and hackers.
Cookies are the conventional alternative to sessions: they have been around for what seems like forever, and they are not specific to PHP. defines them as "a mechanism for storing data in the remote browser and thus tracking or identifying return users." Cookies last a set interval of time—even if the user closes the browser (unless of course he clears his cookies)—and then they expire. The only disadvantage to using a cookie is that the information is stored locally on the user's computer in a text file. Therefore, hackers who use cookie stealers can access the information as well as anyone with physical or remote access to the computer's files; this can be a security threat. However, a well-coded website prevents cookie grabbers from working, and thus eliminates most of the security threat. However, it is important to keep in mind that users can easily change the value of a cookie, so treat anything inside of a cookie as malicious user input. Therefore, PHP programmers should use cookies as a long-term solution to preserve data across pages and sessions.
Overall, sessions serve as temporary information holder that can hide information, whereas cookies serve as both a temporary and long-term information holder. After the difference between sessions and cookies is apparent, making the right choice for a website is rather simple. Though sessions may seem easier to use than cookies, never doubt the power and ease of using cookies.




Not a member? Register today and receive the many free benefits of being a member!