Cookie:
Cookie is a type of HTTP used by websites to store small records of information on a user's computer when they visit the site.
The server used by the website stores the user's state information on their PC via HTTP, which can then be accessed or reused as needed.
To check cookies in a browser:
To check cookies in Chrome, you can use the developer tools (F12) and navigate to the "Application" tab, then click on "Cookies" to view the cookies for the current website.
Features of cookies:
- They consist of a name, value, expiration date (storage period), and path information.
- A client can store up to 300 cookies.
- A single domain can have up to 20 cookies.
- A single cookie can store up to 4KB (=4096 bytes) of data.
Cookie Process:
- The client requests a page (the user accesses a website).
- The web server creates a cookie.
- The created cookie is returned to the client along with the HTTP response containing information.
- The received cookie is saved on the client (local PC) and is sent back to the server along with the request when the client requests again.
- If the client has the cookie on their PC when revisiting the same site, the cookie is sent along with the requested page.
Session:
Session is a technology that considers a series of requests from the same user (browser) over a period of time as one state and maintains that state.
Here, the period of time refers to the time from when the visitor connects to the web server through a web browser until the visitor ends the connection by closing the web browser.
In other words, a visitor's state of being connected to a web server is considered as one unit, and it is called a session.
Features of Session
- It stores information to maintain the state of a web container on the web server.
- It uses a session cookie stored on the web server.
- It is relatively more secure than cookies because it is deleted only when the browser is closed or the session is deleted on the server.
- There is no limit to the amount of data that can be stored (up to the server capacity).
- It assigns a unique session ID to each client and provides appropriate services for each request based on the Session ID.
Session Process:
- The client requests a page. (The user accesses the website.)
- The server checks the Cookie field in the request header of the accessing client to see if the client has sent the session ID.
- If the session ID does not exist, the server creates a session ID and returns it to the client.
- The server stores the session ID returned to the client using a cookie.
- When the client reconnects, it uses this cookie to send the session ID value to the server.
Differences:
Cookies and sessions have similar roles and operate in a similar way. The reason is that sessions ultimately use cookies. The big difference is where user information is stored. Cookies do not use any server resources, while sessions use server resources.
In terms of security, sessions are superior. Cookies are vulnerable to tampering or interception in requests because they are stored locally on the client side. In contrast, sessions use cookies to store only a session ID and use that to differentiate and process on the server side, which makes them more secure.
Both cookies and sessions have a lifecycle. Cookies can expire, but since they are saved as files, the information can still persist even after the browser is closed. They can also be set to be kept until the cookie is deleted. On the other hand, sessions can also have an expiration period, but they are deleted regardless of the expiration time when the browser is closed.
In terms of speed, cookies are superior. Since cookies contain information, they make requests to the server faster. Sessions, on the other hand, are slower because the information is stored on the server and requires processing.
While the location of storage and security are commonly known differences between cookies and sessions, the most important difference is their lifecycle.
The reason cookies are used is that while sessions offer higher security compared to cookies, they use server resources. Since there are limits to server resources, managing resources by using both cookies and sessions appropriately can prevent waste of server resources and speed up website performance.
References:
https://en.wikipedia.org/wiki/HTTP_cookie
https://en.wikipedia.org/wiki/HTTP#HTTP_session