The Difference Between a Cookie and a Session

December 2022 · 3 minute read

The Difference Between a Cookie and a Session

This is a question that normally pops up for those new to web design or programming for the web.

Or maybe you’ve heard your cookies can get stolen, and you’re worried about the security implications?

Either way, it’s a valid question, and very easy to answer. Let’s jump in.

What is a Cookie?

A cookie is a client side file that contains information. This information could be the items in a shopping cart or a username and password combination. (1)

Beware though, there is a dangerous side to cookies.

I’ve heard a few horror stories of cookies being stolen. Public Wi-Fi hotspots can be prowling ground for hackers who steal your cookies. (2)

By stealing a cookie, a hacker can gain personal information about you. They can even steal your banking details. Yikes. (2)

It is best practice to delete your cookies before connecting to a Wi-Fi hotspot. Sure, it’s a bother to have to enter all your info again, but rather safe than sorry, right?

Just don’t forget your password, and don’t enter sensitive websites where your credit card details are stored when on a public Wi-Fi network. This should keep you safe.

What is a Session?

A session can have a lot of different definitions. For example, a session can be launched when you log onto your computer, and stopped when you shut down. (3)

In the context of programming, however, it is mostly used in PHP (which is a server side language). (3)

In this case a session is a variable piece of information stored on the server side of a website. This can either be a unit of variables, state or settings. (3)

Sessions are more secure than cookies, since they’re normally protected by some kind of server-side security. This does not make them infallible, however. Just look at the time the Playstation store was hacked.

It’s very rare that things like this happen, however. You can generally rest assured that your information will be safe on the server side.

Cookies and Sessions Hand-in-Hand

They may have their differences, but these two work hand-in-hand, mostly.

The session can hold onto your username and password, while you get a cookie stored on your PC. This cookie will have a specific id that links to the session the next time you go online. (4)

This is typically what happens when you check the “remember me” option whilst giving the site your username and password.

It’s also how it works when you’re shopping in an online store, and the store remembers the contents of your cart – even after you’ve logged off.

Security Concerns

You can encrypt your cookies to up security by a massive amount. Usually this means hiring a company or paying for a service that does this for you.

Doing it yourself, unless you’re a high-level programmer, will probably achieve nothing and you’ll just end up with a headache.

For more information on securing your cookies, you can check this post out.

 Now you know

There’s not much more to it than that. It’s pretty easy and basically boils down to:

Summary

CookieSession
Client-side fileServer-side file
Carries risk (unless secured)Secure
Remembers info until deleted by you or expiryRemembers info until web site time-out
Usually contains an id stringUsually contains more complex information
Specific identifier links to serverSpecific identifier links to user

ncG1vJloZrCvp2OxqrLFnqmeppOar6bA1p6cp2aemsFwwMScn6ennKS0unvToZxmnJmbs6a%2BxKeanmWSmsG4scSnZJplk6S8rLXEZpinnF2WerSx0qygqKZf