(dis)advantages of sessions vs cookies

Question

I need some details about sessions. What are the disadvantages of session variables? Between cookies and sessions, which one is better?

Answer 1

I'm not going to touch on security here as Infotekka already went into it quite a bit. It seems like you are asking whether you should use a SESSION or COOKIE as if they are alternatives to one another.

They are not. They server (this was a typo..but I'm leaving it cuz it's a nice pun) different purposes.

As HTTP is stateless, PHP (and others) offer the ability to simulate a state machine in your application through the use of a Session. If you did not do this, you would have to use POST/GET between every page to keep the data consistent, and if the user goes to another page on their own that data will be lost! So without a SESSION, you wouldn't be able to have a user logged in to your site .. at least not very consistently.

To summarize, SESSION is used to keep data between multiple pages of your site without using HTTP for an extended period of time. That's what it is used for.

I suppose you could use COOKIE to do this, but it is much more complicated as cookie, especially when dealing with objects serialized to the session. COOKIEs that are set also cannot be accessed until the next page load and must be set before any output by the script (like any other header).

Sessions should be just that -- the session that the user has when they sit down at their computer for however long to do work on the site. When the leave, the session ends.

Cookies should be used to store simple data for a long period of time. If they go to the website a lot, they might want their username to be remembered for them, so it can be stored as a cookie. Just be mindful of the security issues noted by Infotekka.

EDIT: Finally, I should add that COOKIEs are transmitted on every page request between the user and browser. More Cookies means more page load time.

Answer 2

That's a pretty open ended question, but I think the most important thing that you should consider when using the session in PHP is how easy it is to hijack. The PHP session stores all of its values in the server cache, where it is retrieved based on a session id that is written to a cookie on the client. As long as that session is active, a client that connects with that session id will be granted access to that session.

There are some scary programs out there, like firesheep, that can show you just how easy it is to nab a session id and make it your own. If you are going to base any security on that session, you need to make certain that EVERYTHING you do is over SSL, and you should build in some second tier of validation to make sure your session hasn't been hijacked.

All that being said, the session is a great place to store persistent values that you will need to access over the lifecycle of the user's application experience.