Session Cookie vs Persistent Cookie - php

I understand the normal application of a persistent cookie vs a session cookie. But if you can specify the expiration time of a session cookie to behave like a persistent cookie and vice-versa. Is there any benefit to using session cookies besides them being obfuscated from the user and the session is stored on the server?
session_set_cookie_params() function allows you to set a specific expiration time for a session. You can set the time in a persistent cookie in the setcookie() function.
I already pulled up the threads
Cookie VS Session and Session cookies and persistent cookies, and didn't find my answer.

But if you can specify the expiration time of a session cookie to
behave like a persistent cookie and vice-versa.
Not true, the difference between a session cookie and a persistent cookie is whether or not the an expires value is given. A session cookie can't have an expiration time by definition.
Is there any benefit to using session cookies besides them being
obfuscated from the user and the session is stored on the server?
A session ID for something like PHP sessions can be stored in either a session cookie or a persistent cookie, and session cookies can contain other information besides session IDs. They both use the word "session" but are separate things.
A session cookie is the right choice if you want the cookie to disappear when the user closes their browser. A good example is online banking - the cookie that authenticates you should be destroyed when you close the browser so someone can't sneak onto your computer, reopen the browser, and start making transfers. Ever had your facebook status or something like that changed as a prank?

Related

What is the Working Flow of Session and Cookies together

I have many doubts on cookies and session
1) can anyone explain me work flow of cookies and session together(example if I visit any site and then login by my email and password then how cookies and session work together)
2) if cookies is set for 5 minutes and session is set for 10 minutes what will happen
3) how flow will work if cookies is disabled in my computer.
There are many questions which cover your doubts already, I'll link some below. I'll answer your specific questions first:
1) When you visit a website for the first time, actually when you do a session_start() on the PHP side, a new session ID is generated (a random string) and sent to the browser as cookie, usually with the name PHPSESSID, so next time you visit the site the same data is loaded back from the session file (which is stored somewhere on the server)
2) If cookie expires before the session the browser won't send the PHPSESSID value, thus a new session ID is generated. It is usually advisable to use an expire time for cookies way longer. When you expire a cookie, you rely on the client's browser to honor your disposition, but to be safe you must expire the session server side.
3) Sessions won't work, every time the client requests a page a new session cookie will be generated
Some more information:
cookies vs session
Cache VS Session VS cookies?
What is the difference between a Session and a Cookie?

Why PHP session destroys when clear browser's cookie

I have a little confusion about PHP session and session cookies.
Let me ask my question by giving an example of www.example.com.
When I login to www.example.com, it starts a session. So I'm logged in as a user on this website.
Now when I clear cookies in my browser, it deletes all the browser cookie.
My question is - Is the session at www.example.com destroyed when I clear the browser cookies even when I haven't clicked on logout button to destroy the session ?
So that explains what I want to ask.
Does clearing browser cookies automatically destroys PHP session even when you haven't done anything on a website that will call the function to destroy the session ??
Why PHP session destroys when clear browser's cookie
After clearing cookies PHP does not destroy session, it just cannot receive session id anymore (which is stored in cookies), so link between session data and current user connection is lost. PHP destroys session later, depending on its' config.
Does clearing browser cookies automatically destroys PHP session even
when you haven't done anything on a website that will call the
function to destroy the session ??
No, it does not. PHP has limits on session lifetime (see php.ini, session.gc_maxlifetime and session.cookie_lifetime), which basically define session lifetime. In addition to official manual, there's also a good explanation of how these settings influence session lifetime.
If you watch carefully, like through web inspector on Chrome/Firefox etc, then you can see that the PHPSESSIONID is set as a cookie. So if you delete all cookies then I imagine you delete this cookie as well and therefore the session doesn't know what ID to use.
It's Mechanisim of Session. You can read more here.
About Session (ussually Server Session). The Server saves all the Session user data on Server and retrives data by Session ID from client (by Cookies).
First time, Client sends a request to Server. The server has not found any Session ID from this request and responses a normal webpage and includes SET-COOKIE: SessionID=xyz
From now, every request from client will include Session ID = xyz (by Cookies).
If you clear Cookies, certainly the Session ID is gone.

Are cookies and sessions are depend on each other?

Are cookies and sessions depend on each other in PHP?
Does deleting or clearing either one of them affect the other?
Does by disabling either one of them in the browser affect the other?
P.S. I am newbie.
Edit: I was newbie at time of writing question. This question is faced by many newbies.
They are totally independent...
Cookies cannot store unlimited value, sessions can
You cannot store data in a cookie if user browser cookie is disabled where in session you can, because session id can append to URL
It is better to store data in sessions than to store in cookies because cookies can be tempered
If you delete cookies, then only those functionalities in your site will be disabled in which you are retrieving these cookies data but you'll be logged in and if you delete session cookie, you'll be logged out.. (1)
Cookies are stored on client machine where session are stored on your server
A session is ended if you close you browser while cookies stay there unless they are manually removed by the user or till they are expired
Inshort you've better control over sessions than on cookies
(1) For example if you are setting a cookie name demo and you are using a splash screen unless and until the demo is set you'll show a splash screen
if(!isset($_COOKIE['demo'])) { //Now this will show lightbox always if user has disabled his cookies
<script>...</script>
}
Articles
http://www.klovera.com/php-sessions-vs-cookies/
Reference
Session
Cookies
Sessions are stored on server, while cookies are on client. You can disable only cookies from your browser. Cookies can't affect session at all. In case of disabled cookies session id is passed via URL. If your cookies are enabled and session id is stored in cookie by deleting cookie you will not be able to access your session (It's still on server but you can't access it)
Also session can't affect cookies.
They are not connected, but by default PHP stores the session id within a cookie, The directive session.use_cookies is defaulted to 1
If cookies are disabled it uses URL. This can be set with session_use_trans_id. (default is disabled)
But if you delete a session cookie on the client, the next request to the server will not be able to find its associated session
Clearing session will not affect the cookies as cookies are attached with the HTTP request from the client to the server. A cookie can be set to expire after x amount of time, after which it is deleted on the client side.
All the answers are correct, just wanted to add this - If you do not set the timestamp for cookie, then the cookie is dependent on session and it will expire as soon as session ends.

Session cookie versus other kinds of cookies

In Internet Explorer, for example, you can enable first party cookies, third party cookies and allow session cookies.
I know the difference between:
a first party cookie and a third party cookie, and
a PHP session and a cookie.
But what is a session cookie? And how can you set one using PHP?
For example, you cannot log into Facebook without cookies enabled. However, if you allow session cookies, you can log into Facebook.
So, how does a session cookie differ from other kinds of cookies?
A cookie has a lifetime, after which it will expire (As denoted by the Expires directive). If you don't set a timeout, the browser will expire the cookie when you close the browser. This is called a session cookie.
These kind of cookies are often used to track a users current session state on the server side (E.g. php's sessions), but there is not a strong relation between the two uses of the word "session"
A session cookie holds the unique identifier that PHP generates when session_start() is called, so that each client can be associated with a session, and no two sessions can have the same ID at the same time.
The session cookie is usually destroyed when the browser window is closed, or can be done manually using session_destroy().
From Wikipedia:
Older definition: (2011-12-17)
A session cookie is created when no Expires directive is provided when
the cookie is created.
Latest definition:
A session cookie, also known as an in-memory cookie or transient
cookie, exists only in temporary memory while the user navigates the
website.[18] Web browsers normally delete session cookies when the
user closes the browser.[19] Unlike other cookies, session cookies do
not have an expiration date assigned to them, which is how the browser
knows to treat them as session cookies.
In PHP, when you use session_start() it creates a session, this will create a session cookie in the client browser, PHP needs the client to send this info back with each request so that PHP can tell the session ID.

Session cookies = cookies?

I wonder if cookies are the same as session cookies?
A cookie is a cookie.
"Session cookie" can refer to one of two things:
A cookie with unspecified timeout, which will be discarded as soon as the browser is closed. I.e. the browser will only retain it for the current "browsing session."
A cookie containing a session id.
Sometimes it means both. It's not a very well defined term.
As such, the correct description would be session cookie ⊆ cookie,
instead of session cookie = cookie. ;o)
All session cookies are cookies, but not all cookies are session cookies.
Session cookies are cookies whose only purpose is to maintain session state in your site. They typically disappear the moment you close your browser, whereas other cookies that contain some other data tend to persist across sessions.
I wonder if cookies are the same as session cookies?
No. There are different types of cookies.
Session cookies usually used for tracking sessions. They are deleted by a browser when you close it.
Persistent cookies saved on your hard drive. Persistent cookies expire (deleted by browser) when expiry date is reached.
First party cookies are set/retrieved by a website which you actually visit.
Third party cookies are set/retrieved by a different domain. Usually used for advertising and info sharing between websites.
There are also HTTP Only, Secure, and zombie cookies.
The main difference between cookies and sessions is that cookies are stored in the user's browser, and sessions are not. This difference determines what each is best used for.
A cookie can keep information in the user's browser until deleted. If a person has a login and password, this can be set as a cookie in their browser so they do not have to re-login to your website every time they visit. You can store almost anything in a browser cookie. The trouble is that a user can block cookies or delete them at any time. If, for example, your website's shopping cart utilized cookies, and a person had their browser set to block them, then they could not shop at your website.
Sessions are not reliant on the user allowing a cookie. They work instead like a token allowing access and passing information while the user has their browser open. The problem with sessions is that when you close your browser you also lose the session. So, if you had a site requiring a login, this couldn't be saved as a session like it could as a cookie, and the user would be forced to re-login every time they visit.
You can of course get the best of both worlds! Once you know what each does, you can use a combination of cookies and sessions to make your site work exactly the way you want it to.

Categories