Comparison of cookie and session usage in php

Source: Internet
Author: User
Tags setcookie

1. cookie data is stored in the client's browser, and session data is stored on the server.

2. Cookies are not very secure. Others can analyze the cookies stored locally and perform cookie spoofing. session should be used for security reasons.

3. The session will be stored on the server for a certain period of time. When the number of accesses increases, the performance of your server will be relatively occupied. To reduce the server performance, cookies should be used.

4. The maximum size of a single cookie on the client is 3 kB. That is to say, a website cannot store 3 kB of cookies on the client.

For example, COOKIE

For example, setCookie ('user', 'hangsan ', time () + 3600) indicates that the cookie survival time of user variable is 1 hour, note that this function is a header function, which is equivalent to the header () jump function in php. There cannot be "any output (including spaces)" before it )".
2. Use $ _ COOKIE ['user'] to obtain the cookie value.
3. Cancel a cookie: setCookie ('user', '', time ()-3600); or setCookie ('user ');

// Delete the sessionid of the client in the cookie
If (isset ($ _ COOKIE [session_name ()]) {
SetCookie (session_name (), '', time ()-30 ,'/');

Example: session

1. // enable session
Session_start ();
2. // clear the session value
$ _ SESSION = array ();

// Completely destroy the session
Session_destroy ();

Who is more secure with session and cookie?

Personally, I think the session is safer. I have the following opinions.

1. If the session is as secure as the cookie, the two will not exist at the same time. As long as the cookie is ready, the client will be able to split the server burden, it is transparent to users. Why not.

2. The session sessionID is stored in the cookie. To break the session, the first thing to do is to break the cookie. After the cookie is broken, you need to get the sessionID. The sessionID is generated only when someone logs on or starts session_start. You do not know when someone will log on. Second, sessionID is encrypted. During the second session_start operation, the previous sessionID is useless, and the sessionid expires when the session expires, it is difficult to break the sessionID with a secret in a short time. Session is for a communication, and the session ends with the disappearance of the session, and the real cookie exists in a text file on the client's hard disk, who is obviously safe.

3. If the session is so vulnerable and insecure, I think most of the existing websites will be insecure.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.