The Difference Between PHP Cookies and Sessions

Should you use cookies or sessions on your website?

Businesswoman working from home
Blend Images/Hill Street Studios/Vetta/Getty Images

In PHP, visitor information designated to be used across the site can be stored in a session or a cookie. The main difference between cookies and sessions is that information stored in a cookie is stored on the visitor's browser, and information stored in a session is not—it is stored at the web server. This difference determines what each is best suited for.

A Cookie Resides on the User's Computer

Your website can be set to place a cookie on a user's computer.

That cookie maintains information in the user's machine until the information is deleted by the user. A person may have a username and password to your website. That information can be saved as a cookie on the visitor's computer, so there is no need for him to log in to your website on each visit. Common uses for cookies include authentication, storage of site preferences and shopping cart items. Although you can store almost any text in a browser cookie, a user can block cookies or delete them at any time. If, for example, your website's shopping cart utilizes cookies, shoppers who block cookies in their browsers can't shop at your website.

Session Information Resides on the Web Server

A session is server-side information intended to exist only throughout the visitor's interaction with the website. Only a unique identifier is stored on the client side. This token is passed to the web server when the visitor's browser requests your HTTP address.

That token matches your website with the visitor's information while the user is at your site. When the user closes the website, the session ends and your website loses access to the information. If you don't need any semi-permanent data, sessions are usually the way to go. They are a little easier to use and they can be as large as needed, in comparison with cookies, which are relatively small.

 

So, if you have a site requiring a login, that information is better served as a cookie, or the user would be forced to log in every time he visits. If you prefer tighter security and the ability to control the data and when it expires, sessions work best.

You can, of course, get the best of both worlds. When you know what each does, you can use a combination of cookies and sessions to make your site work exactly the way you want it to work.