Hidden input fields vs Session Vs Cookie

Question

What are the pros and cons of storing data in:

1. Hidden input fields
2. Cookies/local storage
3. Server side sessions

Answer 1

Those three are not mutually exclusive things.

hidden input

A hidden input is just HTML sent to the client. It does not appear on the page to the end-user, but it is entirely accessible to the client. Meaning that the user can see it (just as they can see any HTTP response from your server) by using the View Source feature in their browser.

cookie

A cookie is just another HTTP header consisting of a cookie name/value pair, that can be sent back and forth between the client and server in every request/response. This is also visible to the end-user by checking the HTTP headers from their browser's developer tools.

session

The term session, on its own, is dubious, because there can be client-side sessions (stored in the client's browser like with HTML5 Sessions) or it can be a server-side session.

In PHP, the session functions that you're probably referring to store the session data on the server, but send only an identifier to the client that is associated with their session. This is the session_id that is usually sent back to the client as a cookie.

---

All three of these things typically work together in conjunction to do various things. So asking, which is better, is like asking which part of my car is better; the engine, the wheels, or the steering column?

In order to know how something is better you must be able to relate it to something else. Otherwise, the question makes no sense.

If you're asking when it would be appropriate to use things and for what then the answer depends on what your needs are.

1. Sessions
   • Use server-side sessions to store information that you don't want the client to have direct control over or access to, but must be retained to facilitate application state. This is generally viewed as temporary or ephemeral storage so it is not critical for your application code to function, but is necessary to maintain state for the user between HTTP requests. Remember that a PHP session relies on cookies by default. So the question isn't do I use a cookie or a session, but more so... what is a session typically used for.
2. Cookies
   • Use cookies to store temporary values that you want the client to hold on to between requests. When you send a cookie, the browser will hold on to that cookie until the Expire header is reached or the end-user decides to delete it. So this is useful for storing small, short-lived data, that only matters to your UI components primarily, but the server need be informed of them during load times. This could be things like language settings, turn audio on/off, color preferences, etc...
3. Hidden input
   • Use hidden inputs when you don't need the end-user to see or interact with the input field on the page, but the server still expects the value to be sent. This is typically used for things like CSRF tokens, or any value that the server expects to get back, but the user isn't required to know or provide upfront. These values are usually sent by your server in the initial page load.

When the question changes from "which is better" to "what are the uses of each" the answers generally start to become a lot more meaningful, because you will more than likely use all of them.