HTTP is stateless and web applications need data to be sent across different web forms. As we discussed in earlier post, cookies are a way to store data on a user’s system. But cookies may pose some security issues. When a website accesses cookies, the data is sent in a query strings and is exposed. This can be used by attackers to launch an attack on a website or alter this data. PHP sessions overcome this issue since the data is not sent through query string. Rather it is stored in the server.
Another problem of using cookies is that every time a user visits a website with cookies, the cookie data is transmitted to the server. If there are multiple cookies then a considerable amount of data will be sent back and fro between client browser and the server, slowing down the website. But, if PHP session variables are used then this time and bandwidth consumed by cookies data is saved. The Session data is already with the server.
How session data is identified and accessed?
It is done with the help of Session ID. Read along to know about Session ID.
PHP Session ID
Unlike a cookie, PHP session variables (data) are stored on the server. Each session is identified by a string value called the session ID or SID. The session IDs are generated by the server, so session data is secure as generation of these IDs is the task of server.
All Session IDs or SIDs are stored as Cookies in user’s system. When user requests a website through browser by typing its URL, the browser locates the cookie containing the current SID and sends it to the server. PHP engine gets the session data from server after the SID is identified by the server. Now the PHP scripts can use this session data as variables and application becomes operational.
Security- PHP session vs. PHP cookies
PHP sessions are secure than PHP cookies due to the following reasons
- Sessions are created, identified and maintained by a website server
- SIDs are unique and random. They cannot be guessed by usual ID cracking tools used by attackers.
- SIDs are nearly impossible to be guessed and the hackers fail to access the data being used in a session. This prevents any possible alteration to the data being used within as session.
- All session variables are stored with the server. Data is never passed back and fro between a server and browser. Only session IDs saved in cookies are sent from browser to server to get the session data for scripts.
You have learnt that cookies are limited in count for a specific user for a specific website. So there are only a few values that you can save in cookies for your website. On the other hand session data is saved with server so a large amount of session data can be stored to implement the needed functionality that depends on the data shared between different pages of a website.
How long this data is available?
As the name conveys session data is available till the duration of the session. It is stored in a temporary file by default on the web server. This is unlike cookies where the data can be stored for a specific duration by specifying the expires argument in setcookie() function. Session cookies automatically get deleted either when the session is terminated by user or the browser is closed.