When should you use session variables instead of cookies?

• Sessions are stored on the server, which means that clients do not have access to the information about them that you store. Session data stored on your server should not be transferred completely from each page; clients simply have to send an identifier and the data is downloaded from the server.

• Cookies, on the other hand, are stored on the client. They can be reliable for a long time and allow you to work more smoothly when you have a cluster of web servers. However, unlike sessions, the data stored in cookies is transmitted completely with every page request.

• Avoid storing data in cookies.

  • This can be seen, read and modified by the end user or intercepted by those who have vile intentions. You cannot trust any data in cookies other than "session_id".
  • This increases throughput if you add 1k of data per page request per user, which can increase throughput by 10-15%. It may not be expensive in terms of $$, but it may be in terms of performance. This will actually reduce the throughput of your server by 10-15%, i.e. May require more servers.

• What you can store in the session data depends on the amount of data and the number of users that you have. no_of_users * size_of_session_data should be less than the free memory available on your server.

Cookies can last longer than one session. However, cookies can also be deleted by the user or you may have a user whose browser does not accept cookies (in this case only the server session is running).

Cookies are on the client side and sessions are on the server side.

Use cookies for small pieces of data that you can trust the user (for example, font settings, site theme, etc.), and for opaque identifiers for server-side data (such as session identifier). Expect that this data can be lost at any time and cannot be trusted (i.e. it needs to be cleared).

Use session data for large chunks of data (for many systems, objects, data structures, etc. can be stored) And for those that you should trust - for example, for authorization status, etc. In general, use session data to store large state data.

You can also store things like authorization status in cookies if necessary for the graphical user interface, caching, etc., but never trust this and never rely on its presence. Cookies are easy to remove and easy to fake. Session data is much more difficult to fake, as your application controls them.

Cookies are sent to the server with every request, so if you plan to store enough data, save them in a session.

Otherwise, if you store small amounts of data, a cookie is fine.

Any sensitive data must be stored in the session, as cookies are not 100% secure. The advantage of cookies is that you can save memory on your server, which usually stores session data.

One of the drawbacks of PHP sessions is how session processing works. In particular, only one process / request can have a session open for recording at a time. At

 session_start() 

The session file is locked. If other processes come, the rest accumulate and wait for their turn.

In other words, if you use AJAX on a page to update multiple items — you don’t want AJAX requests to open the same session — they will be forced into the queue and if one of these requests gets stuck — it won’t release the session, which will result in browser freezing when opening a new tab or window only puts another unfilled request in the queue on the server. Using

 session_write_close() 

as soon as possible in order to free the session, this is a partial work.

A long-term request with a user who is bored and opens more windows may have the same effect of a browser freeze.

I recommend avoiding PHP sessions.

Sessions are stored on the server. If you store something in a cookie, the user's browser sends this information with each request, which potentially slows down your site from the user's point of view. I try to avoid the use of cookies when I can.

Use sessions only if the data is too large for cookies or if the data is so large that it can slow performance if you use cookies.

For example, if you save smaller data, then the size of the session identifier in your cookie, for example, two tokens for login or something like that ... Then I do not understand why you will use sessions instead of cookies.

Also note that PHP session files are saved to disk by default, compared to cookies that are stored only on the client side.

Sessions are stored on the server side. If a visitor saves something in a cookie, the browser will send user information for each request made.

This leads to the fact that servers spend a lot of computer time and slow down the user. Some browsers also do not support cookies, which gives more benefits to sessions than cookies ... I highly recommend sessions.

This may help: Cookies (php.net)

Your specific guide

NB. The cookie is stored in users browsers, and the session is stored on your host server computer.

When to use

1. Use a cookie if you want your application to always remember user data, even if they have closed their browsers. For example, whenever you enter www.facebook.com, you go to your account, even if your browser has been closed and reopened.

   Because all the data stored in the session is deleted after closing the browser.

2. Use a cookie when the information you need to save is much larger than usual .... If you have a larger user base, such as Facebook, think about how it will look when storing all user sessions on the host computer .

3. Use a session when the user information to be stored is no more than usual and you do not want the public to have access to your user variables ...