You are on page 1of 2

Whats the difference between a cookie and a session in PHP?

PHP sessions improve upon cookies because they allow web applications to store and retrieve more
information than cookies. PHP sessions actually use cookies, but they add more functionality and
security.
Sessions store data on the server, not on the browser like cookies
The main difference between a session and a cookie is that session data is stored on the server,
whereas cookies store data in the visitors browser. Sessions use a session identifier to locate a
particular users session data. This session identifier is normally stored in the users web browser in a
cookie, but the sensitive data that needs to be more secure like the users ID, name, etc. will
always stay on the server.
Sessions are more secure than cookies
So, why exactly should we use sessions when cookies work just fine? Well, as we already mentioned,
sessions are more secure because the relevant information is stored on the server and not sent back
and forth between the client and server. The second reason is that some users either turn off cookies
or reject them. In that scenario, sessions, while designed to work with a cookie, can actually work
without cookies as a workaround, as you can read about here: Can PHP sessions work without
cookies?.
Sessions need extra space, unlike cookies
PHP sessions, unlike cookies which are just stored on the users browser, need a temporary
directory on the server where PHP can store the session data. For servers running Unix this isnt a
problem at all, because the /tmp directory is meant to be used for things like this. But, if your server
is running Windows and a version of PHP earlier than 4.3.6, then the server will need to be configured
here is what to do: Create a new folder on your Windows server you can call it something like
C:\temp. You want to be sure that every user can read and write to this folder. Then, you will need to
edit your php.ini file, and set the value of session.save_path to point to the folder which you created
on the Windows server (in this case, that folder is under C:\temp). And finally, you will need to restart
your web server so that the changes in the php.ini file take effect.
Sessions must use the session_start function
A very important thing to remember when using sessions is that each page that will use a session
must begin by calling the session_start() function. The session_start() function tells PHP to either start
a brand new session or access an existing one.
How session_start in PHP uses cookies
The first time the session_start() function is used, it will try to send a cookie with a name of
PHPSESSID and a value of something that looks like a30f8670baa8e10a44c878df89a2044b which is
the session identifier that contains 32 hexadecimal letters. Because cookies must be sent before any
data is sent to the browser, this also means that session_start must be called before any data is sent
to the Web browser.
Registering values to the session
After the session_start function is called, values can be registered to the session using the $_SESSION
associative array. This is what it would look like:
$_SESSION['name'] = 'Jack';
$_SESSION['last_name'] = 'Lopez';

You might also like