A lot of people who are beginning to write applications for the web have a hard time figuring out when to use cookies and when to use sessions. They both have their proper places in your toolbelt, and can be great for persistent data storage if used properly.

Cookies

A cookie is great for storing data that needs to be held for a long time, typically longer than a user will be on the site. Cookies are great for checking if a user has already completed a certain task, or for maintaing a persistent login state. Unfortunately, not everybody has cookies turned on in their web browsers. This could lead into some problems if your script is dependent on pulling information from a cookie. Typical of this problem is login scripts. Cookies are also stored on the client's machine, which could be a security issue if not properly handled. It's typically poor practice to store secure information in a cookie.

Lets assume you write a login script that checks to see if $_COOKIE['loggedIn'] is set to true, and if so, it displays the page. What would happen if a user has cookies disabled in their browser? You go to setcookie(), and you're unable to. When the user goes to a page that requires a login, they get kicked out to re-login. This proves an obvious problems. It's times like these when you're better off using sessions.

Sessions

Sessions are wonderful if you want to store some data while a user is visiting your site. Sessions only last for as long as the user is on your site, and is perfect for holding information such as logins and permissions. However, if you want to store data for an extended period of time, you may be better with a cookie. Unlike cookies, sessions are stored on the server side of the site, and are considered by many to be more secure.

Going back to the login sample, you can see what happens if you set $_SESSION['loggedIn'] when a login is successful. It doesn't matter if the user has cookies set or not, because you're storing everything on the server side! It is a much more reliable way to store necessary information, as you know you'll always be able to access it. Just remember that important session_start() function when using sessions.

I know it was a short tutorial, but hopefully you have a better understanding of when to use sessions and when to use cookies. Both methods of data storing have their pros, cons, and particular uses. Good luck with your programming, and hopefully you now have another skill to add to your toolset. As always, questions, comments, and corrections are welcome. Take care!

Great tutorial. One thing to note is that Sessions by default store the Session Identifier in a client side cookie, but you can extend this and store them via form values, and you can also change where sessions are stored from flat files to database engines.

Cookies you really have to be careful about, sessions can be trusted, you still should escape the information stored in session variables, but you can trust the source (Unless your on a shared hosting provider that has been compromised.) It is VERY easy to change cookie info, so say you set a cookie variable $_COOKIE['loggedIn'], if a attacker looks through cookie data and sees this, he can change it and reload the page, and he will be successfully logged in.