Jump to content

Cookies vs Sessions


falltime

Recommended Posts

For several of my clients, I've always just reused a great session class that I wrote awhile ago and it has always served me well. It implemented standard PHP session management and set basic cookies for long-term persistent access.

 

I've moved on to a much larger web app project that must be scalable, particularly in terms of performance. I been doing a bit of reading on the common problems with PHP sessions when scaling up to large server-farms. Additional expensive software is required to centralize persistent session data, and it adds quite a bit of performance overhead.

 

So I've considered rewriting my session class to drop PHP sessions all together and just work with cookies. It sounds like this is really that real common alternative although I'm a bit wary of the obvious potential security issues (cookie theft, etc). I know you can set a cookie experation to 0 so that it expires as soon as the browser as closed, but from my experience, it doesn't quite work in the same way as a session - every browser window must be closed (at least in FF) for the cookie to fully expire as opposed to just the specific website browser window (in the case of sessions).

Link to comment
Share on other sites

Oh God....  I don't think you understand exactly how sessions work if you're thinking of storing session data in a cookie.

 

Here's how it generally works:

 

Server has a certain datasource (for my example, it will be a file), from which it pulls data.

 

It knows which datasource to choose based on a key from the client.  (The session ID, which is generally stored in a cookie.)

 

So, sessions = server side, cookies = client side.

 

It would be like...

 

Ohhh good analogy....

 

Let's say I'm a banker, and I have 2 clients.  Client 1 would come to me and say, "Hi, I'm Client 1," and I would look in my little banker-analogy book and know he has $x.  Client 2 would come and say, "Hi, I'm Client 2," and I would look in my little book and see that he has $y.

 

Now, if I'm storing the session data client side, suddenly Client 1 is coming to me and saying, "Hi, I'm Client 1, and I have $x."  x could be any value he chooses, since cookies can be modified by clients.

 

As for multiple servers accessing the same sessions...  There are multiple ways to do it.  One of the most common ways is to store the sessions in a globally accessible database.  For example, let's say you have 2 content presentation servers and they access 1 database server.  You could store the sessions on the 1 database server, and both content presentation servers could access it.

 

Or, you could simply network the drive where the sessions are stored and set PHP to use that location.  (I would not personally go with this one as much can go wrong.)

 

 

 

Anyway, maybe you were asking something else, and my answer was just entirely random.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.