Cookies or Sessions are better??

**auriaks** · 02-15-2010, 08:58 PM

I wonder about what is better...

Cookies and sessions have their pluses, but why we use theese types? Also I would like to know more about cookies because I used sessions before.

**djr33** · 02-15-2010, 09:53 PM

This is a coding question, not a social thread, so I have moved it.

Since you did not post this in PHP, I am not sure if you are referring only to PHP.

Sessions are almost always better, if you can use them.
Of course the most important question then is whether or not you can use them.

The main requirement for using sessions is that you are using PHP.

So this means that sessions ONLY work in PHP and if you are using another language (Javascript? ASP? etc.) then cookies are your only answer.
However, other similar languages (ASP, CGI, etc.) may have similar "sessions", but I don't know about that. You could also program them yourself, but that's a lot of work. The language would need to be a serverside language, though (due to the way the data is stored), so if you are using Javascript (and other client side languages like, for example, flash), then you won't be able to use sessions or anything like it.

The other consideration then is that if you are using Javascript and PHP, even if PHP can read the sessions, Javascript cannot. So if you want to have, for example, a menu state stored (the third dropdown is open), then this needs to be available to both Javascript and PHP-- then use cookies.

So in conclusion for that part: if you are using PHP and do not need the values to be available to Javascript, then sessions are probably better.

Sessions are a little complex to setup, but easier than working with cookies overall.
For example, cookies require that the page is reloaded in order for the value to exist (since it is sent in the initial request). Sessions work immediately.

Sessions do not require that the browser supports them. Sessions use a session id (usually a cookie) to store the id of the data set on the server. This can be a get or post variable if required, instead of cookies, so all browsers (regardless of cookies) will work.
Of course cookies require that the user accept cookies.
This is not a huge problem now, but in the past it was. If someone has very high security settings, though, cookies may still be blocked (but almost all relevant browsers are at least able to support them).

Sessions last for a "session" which is basically a single time using the website. A significant pause (15 minutes? 1 hour? -- it varies) will then make the session end and the user will be logged out, etc., and a new session will start.
If the user closes the browser or navigates away from your site, this can also occur.

Cookies (by default) work in the same way, but cookies can be alternatively set to last for more or less time. If you want a value to be available the NEXT time the user visits your site, a session will not work (since it will be gone by then). But a cookie will be available.
The problem there is that cookies are frequently deleted by users/browsers regardless of the actual expiration time (just cleaning up the system), so you cannot rely on that cookie still being there.
If this is a non-crucial value like mentioned above as which dropdown menu was active, that's fine. Sessions will never work, and cookies will work most of the time. In that case, use cookies.

Sessions are secure; cookies are not. You can store anything you want in a session and as long as your PHP code never prints it out to the user, it is safe. If you do this with cookies, the user can find it stored on their computer. This is because session data is stored on the server directly and is never accessible to the user except when you output it.
(Of course be careful and don't store anything too secure in it just because you might accidentally echo it at some point.)

Also, for security:
Cookies can be stolen from a user's computer (if they are hacked, etc.). There is no way to make this secure.
Sessions are controlled by that session id, so if that session id cookie is stolen the access to that "session" on the server can also be stolen. This is like with cookies. However, if you add an IP verification to your sessions/logins/etc, then this can be avoided.

There are other issues specific to certain properties of both, but in general I would recommend using sessions if you can.

Typically sessions are good for storing data for active users doing things on the website, like tracking progress in an online quiz.

Cookies are good for limited data that doesn't require a complex system, such as just making a note that the user has already visited your home page so now they don't get the intro popup.

Generally sessions and cookies do the same things, so you can decide which you like.

Sessions are easier to work with, though, once you get used to them.

Also, if you ever need a system that stores data permanently (or reliably over more than a single session), then it is time to create a database. Cookies will be unreliable especially over long periods of time, and sessions only work for a single instance of being on your site.

Another way to think of sessions is like a magical database that runs itself (just through $_SESSION) for one instance of being on your website. Cookies are like notes you stick on the user's computer, but they can do anything they want with those notes (including, among other things, modifying and deleting them).

**auriaks** · 02-15-2010, 11:32 PM

I think you can get rid of pop-ups problem by using sessions too.

Simple PHP:
Just create database and in the table with 3 rows store user_name, popup_name and value(seen/unseen).
If user logs and he has unseen popups - he will see them, because php can activate javaScript with echo "code";

The only problem would be UPDATE unseen to seen value.
It is possible to insert "close popup" button, which would process that updating.

I'm right?