Sessions and cookies are useful mechanisms that allow us to store data about a user’s activities on a website. But they do it differently and they server different purposes. We are going to dig-in both in this article.
Cookies
On an e-commerce website, we can put things we consider buying in a shopping cart or on a wish list and then continue shopping and browsing on other pages without losing our selected items. We can do this thanks to cookies.
When visiting a website, small pieces of data as key=value pairs, called cookies, are stored as text files in the user’s web browser.
These cookies contain information that is sent with each HTTP request to the server, enabling it to remember the user, their behavior, and their preferences.
Setting Cookies
In order to create a cookie, we use the setcookie() function.
This function accepts some parameters. Let’s describe the most important of these parameters in some detail:
Name: It is the only required parameter containing the name of the cookie.
Value: Optional parameter. It is used to set the cookie’s value. If not specified, the default value is an empty string.
Expire: Optional parameter. Is used to set the expiration date of the cookie in seconds since the Unix Epoch. If not set, the cookie expires at the end of the current session.
Path: Optional parameter. Contains the path on the server where the cookie is available. If not set, the cookie is available in the entire domain.
Domain: Optional parameter. Specifies the domain for which the cookie is available. If not specified, the cookie is available in the domain of the request.
Secure: Optional parameter. It indicates that the cookie is intended for secure connections (HTTPS) only. It set to a boolean value. If TRUE, the cookie will only be available via an HTTPS protocol. If not specified, it defaults to FALSE.
Example of a cookie set with the setcookie() function:
We see that the cookie we created is data persistent since we can set it to expire on the client any time we want beyond the current session. In our example, we set it to expire in one month.
That means we can close the browser, reopen it a couple of weeks later and it will still “remember” our surename.
Checking for a cookie is very easy with the help of developer tools. Selecting the Application tab and the Cookies section enables us to see all the active cookies on a page.
This is the reason we don’t want to store sensitive data in a cookie.
Accessing Cookies
We can access cookies using the $_COOKIE superglobal.
PHP’s $_COOKIE superglobal is an associative array that stores the values of cookies sent by the browser at the current request. The values are organized in a list, with the cookie name acting as the key.
Continuing from the previous example:
Deleting Cookies
To delete a cookie, you can set its expiration time to a past date:
The above cookie is now expired and will be deleted. The expiration time is set to one, that means 1 second after the epoch (1 January 1970 00:00:00 UTC).
ΝΟΤΕ: We should pass the same parameters of the cookie we want to delete that we passed at the time of creation in order for the cookie to be deleted. If the parameters are not the same, the cookie will remain set.
This is applicable in cases where we add things to the cart as a guest (unauthenticated). However, if logged-in, storing stuff in the backend is the preferred way so that users can visit later from another browser or device without losing their selected items.
SESSIONS
A session is a mechanism to store data about the user’s interaction with a website. This data is used across multiple pages or requests and is useful only during the time a user is interacting with the website.
After the connection is ended, or the browser is closed, the session is usually destroyed.
Sessions are stored on the server. PHP uses a session ID to associate a user’s data with their specific session.
This session ID is usually stored in a cookie on the client’s browser.
The server generates and manage the session IDs. For every user connected to the server, there will be a corresponding session ID. If a thousand users are visiting a website, there will be a thousand respective session IDs on the server.
So, although a server has multiple clients for a website, thanks to these unique session IDs, it knows which session belongs to whom.
The basic idea is that the client provides the server with a session ID and then the server looks up for this session ID in its session data-store. If it find it there, it gives the client access to their session data.
It is like a hotel guest asking the hotel reception for the room keys. The person at the desk will ask for the room number and an ID. If that ID matches the name of the guest on the room’s file, he/she will issue the room key. With that room key, the guest gain access to their allocated room but not to any of the dozens of other rooms in the premise.
Session Initialization
To start a session you use the session_start() function. This is called at the beginning of each page where you want to use session data.
Data Storage
You can store data in the session using the $_SESSION superglobal. For example:
Data Retrieval
Later on, you can access the stored data:
Session Termination
To end a session and remove all session data, you use the session_destroy() function.
We see sessions are very important since without them servers would have no way of recognizing and/or remember individual users, and every time we visit, or browse between the pages of a website, we’d have to login.
Wrapping Up
Cookies are used to store small pieces of data in the user’s browser, and are useful for storing non-sensitive information, like user preferences or items in a shopping cart.
Sessions, on the other hand, provide a higher level of security for sensitive data compared to cookies since they are stored on the server and are more suitable for storing and managing user-specific data.
Although my blog doesn’t support comments, feel free to reply via email or X.