Rails v2.3 : Difference between session and cookies

Question

I am learning Rails by reading the online guide(for Rails v2.3). The guide is great, however, there is a confusion for me, that's:

there is a chapter explains the Session of Rails and another chapter explains Cookies of Rails. The explanation is easy to understand separately, but when compare the two, reader like me does not see the significant difference between Session and Cookies . Especially under which situation session should be used and under which situation Cookies should be used ?

Besides, in the session chapter, there is a concept of CookieStore , what is the difference between the CookieStore and Cookies then?

Could someone explain to me these?

Answer 1

Sessions & Cookies both hold the ability to store some information (e.g : the current_user id) in between two or more requests which (in http) are otherwise stateless.

But Session is more of an abstract concept related to the notion of being in a certain state for a specific amount of time : the info it contains can be stored in the database, in a server side file, in a redis hash OR in a cookie.

Cookies are always the little text file navigators have to store some persistent data in between requests... But having some data on the client side can be insecure so that's why it is often encrypted. But it's true the notion can overlap with session.

TL;DR : session the abstract concept of holding temporary data. Cookies one (common) way of doing it.

Answer 2

A cookie is a small text file stored in the browser.

A session is the concept of a state of being "in-use", and that state can have data associated with it. Rails keeps track of sessions with cookies, and lets you choose different storage for associated data and access it with the same session interface.

CookieStore means all the session information is stored inside the cookie itself. You can choose to use various other stores where appropriate, and it'll still be available with your session accessor methods.

In addition to the session, you can set other cookies to store information on the user's browser. These are not tied to the session and can be set, accessed and deleted independently.

Example 1, storing a logged-in user's shopping cart in a session:

session[:embarassing_products] = ['ooh',
                                  'naughty',
                                  'lucky_im_using_activerecord_store',
                                  'only_the_session_id_is_in_the_cookie',
                                  'other_data_arent_in_the_browser']

The shopping cart is preserved for the user's session. You can set the session to end when the browser window is closed, when the user logs out, or when a certain amount of time passes.

Example 2, remembering a browser's last language preference for your domain in a cookie:

cookie[:lang] = 'en-US'

This information is stored inside the cookie itself. Unless the cookie expires or is deleted (by you or the user), it stays inside the browser.

Answer 3

As to me the main difference is that the session data stored on the server, whereas the cookies are stored on the client (browser).

So you can trust the data from the session. Information from the cookie can be manipulated, stolen, and thus should not be relied on for critical use (for right access for example).

Second point, is that cookies have a limited size, and are only text-based. You can store in session many complex objects (but beware of memory consumpation), and you don't have to transfer them to client then back at each request.

Answer 4

And typically the session only persists until the user shuts down their browser. That's useful for typical logins. Whereas if you needed information to persist between sessions you could use a cookie with a longer duration, for example a 'remember me' flag that persists even after the browser is restarted.