I'm just wondering. What's the difference in PHP between setting a cookie without expiration (meaning it expires as the browser closes) and setting a session variable. I'm not talking about login and stuff l开发者_JAVA技巧ike that; rather not needing to fetch less-frequently changes database values on every page visit, etc.

P.S: you can protect your cookies even more by using http_only cookies. For PHP you could read http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html. I forgot to do for this session example, but did use it for cookie example :(. When you use this your cookies can not be read from JavaScript with most browsers(that support http_only). To use http_only cookie for your session: ini_set("session.cookie_httponly", 1);

What's the difference in PHP between setting a cookie without expiration (meaning it expires as the browser closes) and setting a session variable

They can keep track of the same information, but with cookies(not using session) all information is stored on user/webbrowser which can be stolen by hackers or even altered to provide false information. For simple things you could use cookies, but then again I think you could also use sessions, because when you use cookie you need to transmit more information over the wire.

The internet(HTTP) standard is a stateless protocol(no memory) which has the advantage that it simplifies server design. The internet uses cookie to make it "remember".

Sessions only use cookie to store PHPSESSID inside cookie. Standard the rest of the information is stored on disc which is more secure way to keep state (store sensitive information). You could also encrypt your cookie to do this, but I think sessions is are nice way to do this.

You can override this behaviour and probably should when your website has high traffic to use something like memcached/redis to just store the session information inside memory(Memory is a lot faster than spinning disc to read file because memory also has no moving parts and is very close to CPU). For this to do you need to override session_set_save_handler. It is pretty easy to do with redis. To install redis just type make. Predis is the recommended(popular) redis client library for PHP. To save session information inside redis you could use redis-session-php.

Session

Code

I created a really simple php file to demonstrate sessions.

<?php

session_start();

if (!isset($_SESSION['count'])) {
    $_SESSION['count'] = 0;
}

echo $_SESSION['count']++;

Curl first time saving cookie

I am using Linux Ubuntu below.

alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl http://localhost/stackoverflow/6717214/session.php -v -c cookie
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/session.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 12:13:43 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Added cookie PHPSESSID="eauo6se9o34oegs57nuhs5u3b7" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=eauo6se9o34oegs57nuhs5u3b7; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0
0

• -v: Make the operation more talkative
• -c: Write cookies to this file after operation

Next we show output cookie created by our session

alfred@alfred-laptop:~/www/stackoverflow/6717214$ cat cookie 
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

localhost   FALSE   /   FALSE   0   PHPSESSID   d5jfijp8515pbhnoe43v4rau97

Standard PHP uses the file-system to store data belonging to session(PHPSESSID).For me the files are located at /var/lib/php5

alfred@alfred-laptop:~/www/stackoverflow/6717214$ php -r "echo session_save_path();"
/var/lib/php5

As you can see it stores that information inside file sess_d5jfijp8515pbhnoe43v4rau97. It is using serialize under the cover to convert object to string.

alfred@alfred-laptop:/var/lib/php5$ sudo cat sess_d5jfijp8515pbhnoe43v4rau97
count|i:1;

I need to sudo because I can standard not read from that location

alfred@alfred-laptop:/var/lib$ sudo ls -la /var/lib/ | grep php5
drwx-wx-wt  2 root          root           4096 2011-07-16 14:16 php5

The read bit has not been set for that directory

Curl second time using saved cookie

alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -v -b cookie http://localhost/stackoverflow/6717214/session.php
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/session.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> Cookie: PHPSESSID=d5jfijp8515pbhnoe43v4rau97
> 
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 12:28:59 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0
1

• -b: Cookie string or file to read cookies from

As you can see we can count without storing any of that information inside cookie. We use the same cookie to remember our state. You can also see that the information on disc has changed to reflect this.

alfred@alfred-laptop:~/www/stackoverflow/6717214$ sudo cat /var/lib/php5/sess_d5jfijp8515pbhnoe43v4rau97
count|i:2;

Cookies

When just using cookies everything is stored on the users computer.

Code

<?php

$counter = 0;

if (isset($_COOKIE['counter'])) {
    $counter = $_COOKIE['counter'] + 1;
}

setCookie("counter", $counter, NULL, NULL, NULL, NULL, TRUE);
echo $counter;

First time with Curl storing cookie

alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -c cookie -v http://localhost/stackoverflow/6717214/cookie.php
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/cookie.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 13:22:03 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Added cookie counter="0" for domain localhost, path /stackoverflow/6717214/, expire 0
< Set-Cookie: counter=0; httponly
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0
0

When we output cookie we get:

alfred@alfred-laptop:~/www/stackoverflow/6717214$ cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_localhost FALSE   /stackoverflow/6717214/ FALSE   0   counter0

As you can see everything is stored inside the cookie and sent over the wire.

Curl Second time using cookie

alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -b cookie -c cookie -v htp://localhost/stackoverflow/6717214/cookie.php
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/cookie.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> Cookie: counter=0
> 
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 13:32:24 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Replaced cookie counter="1" for domain localhost, path /stackoverflow/6717214/, expire 0
< Set-Cookie: counter=1; httponly
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0
1

Session is more safe than cookie because it stores on the server. Use session, it simple:)

There are many differences between a session and a cookie, because these are two different concepts. Some of their characteristics can be compared with each other:

Location: The session ^{PHP Manual} is stored on the server, the cookie ^{PHP Manual} on the client computer.

Transfer: Cookie-Data is transferred over the net with every request - sessions data as it resides on the server is not.

Size: Cookies are of limited length as well. A PHP session can take much more data.

Non-persistent cookies should be used for non-sensitive and very lightweight data.

Session variables for state that is stored per session on the server.

The thing to realize is that in order for Session state to work, the server will issue a session cookie to the browser, which the browser will send on each subsequent request, and which will enable the server to retrieve the correct session data for the user's session. This is inherently linked to HTTP being stateless and is one of the web fundamentals.

Note however, that if you are not going over HTTPS (using SSL), these session cookies can be easily intercepted and could be replayed by an attacker which would gain access to your session, a so called Man-In-The-Middle attack.

SESSION can't be affected so easy as cookie can, because SESSION is stored on server and only SESSID cookie is required on client's side.

Additionaly, cookies have limited lenght (Thanks @Alfred)