Comparison of cookie and session usage in php

1. cookie data is stored in the client's browser, and session data is stored on the server.

2. Cookies are not very secure. Others can analyze the cookies stored locally and perform cookie spoofing. session should be used for security reasons.

3. The session will be stored on the server for a certain period of time. When the number of accesses increases, the performance of your server will be relatively occupied. To reduce the server performance, cookies should be used.

4. The maximum size of a single cookie on the client is 3 kB. That is to say, a website cannot store 3 kB of cookies on the client.

For example, COOKIE

For example, setCookie ('user', 'hangsan ', time () + 3600) indicates that the cookie survival time of user variable is 1 hour, note that this function is a header function, which is equivalent to the header () jump function in php. There cannot be "any output (including spaces)" before it )".
2. Use $ _ COOKIE ['user'] to obtain the cookie value. Www.111cn.net
3. Cancel a cookie: setCookie ('user', '', time ()-3600); or setCookie ('user ');
4,

// Delete the sessionid of the client in the cookie
If (isset ($ _ COOKIE [session_name ()]) {
SetCookie (session_name (), '', time ()-30 ,'/');
}

Example: session

1. // enable session
Session_start ();
2. // clear the session value
$ _ SESSION = array ();

// Completely destroy the session
Session_destroy ();

Who is more secure with session and cookie? www.111cn.net

Personally, I think the session is safer. I have the following opinions.

1. If the session is as secure as the cookie, the two will not exist at the same time. As long as the cookie is ready, the client will be able to split the server burden, it is transparent to users. Why not.

2. The session sessionID is stored in the cookie. To break the session, the first thing to do is to break the cookie. After the cookie is broken, you need to get the sessionID. The sessionID is generated only when someone logs on or starts session_start. You do not know when someone will log on. Second, sessionID is encrypted. During the second session_start operation, the previous sessionID is useless, and the sessionid expires when the session expires, it is difficult to break the sessionID with a secret in a short time. Session is for a communication, and the session ends with the disappearance of the session, and the real cookie exists in a text file on the client's hard disk, who is obviously safe.

3. If the session is so vulnerable and insecure, I think most of the existing websites will be insecure.