php login form with cookies/sessions

what are differences/similarities between using a php login form with cookies/sessions

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cookies are stored on the client machine and sessions are stored on the server.  Sessions are generally more secure as you can hack a cookie in order to gain access.

The good thing of cookies is that if you store user and password in a cookie then they don't have to log in every time they visit.  

With cookies of course you have to rely on the fact that users have cookies enabled in the browser.  With sessions this is a non issue.

Basically it comes down to preference.  If you want your user to be able to save their login info so they don't have to log in every time they visit you need to use cookies.  If you don't care about that then sessions is the way to go.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
That's not completely true.  Cookies are usually used in PHP to identify the session that the user is in so that only their session data will be retrieved.
True if you are saving the session data to be used after the browser is closed.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Dave BaldwinFixer of ProblemsCommented:
No, that's not the way it works.  Please read this page about passing the session id:
In no way did the OP say they were going to be passing session IDs.  You do NOT need to pass session IDs for a simple login form.

I have many sites that use sessions and not a single cookie is stored on the client side.  You do not need both unless A) You want to save session data and refer to it later, or B) You want to combine the benefits of both cookies and sessions.
Dave BaldwinFixer of ProblemsCommented:
This is his third question in a series about logins and sessions and how to do them.  You can not maintain a session without passing the session_id.  There are two methods, cookies and URL parameter.  Most of us use cookies.  If you are not doing either one of those, then you are not maintaining your session data in PHP.  

By the way, the default method of passing the session_id when call "session_start()" is to set a cookie.  If you do not tell PHP to not use cookies, then "session_start()" will set a cookie.
Again...that is true if you are passing between pages.  It is not necessary if you passing params via AJAX.  I base my entire site off this method and works perfectly...even with cookies disabled.
Ray PaseurCommented:
PHP Sessions almost always use Cookies.  The session cookie contains a key to locate information that is kept on the server.  The session information on the server is a serialized array that is turned back into $_SESSION when session_start() is executed.

If you use session_start() to create a session variable, you must do that before any browser output because the session_start() function sets a cookie.

Similarly, if you use session_start() to retrieve a session variable, you must do that before any browser output because the session_start() function gets and then sets a cookie.

The session cookie is set with a lifetime of zero, meaning that it ceases to exist after the browser is closed (all instances of the browser must be closed to delete the cookie).  In addition to the cookie, there is a "garbage collection" algorithm that causes PHP to delete any session data that is associated with a cookie more than 24 minutes old.  This garbage collector may or may not be invoked in a timely manner.  Takeaway message: If you want to keep a little bit of session data around, use session_start() and do not worry about the lifetime of cookies.  However if you want to do something that has economic value, like allowing an anonymous client to put things into a shopping cart for later purchase, use your own cookie.

How important is the cookie for the anonymous client?  I just attended a conference where a presenter (speaking about user experience) told us of a web site that had a "register now" requirement in front of the checkout-and-purchase page.  The abandoned shopping cart rate seemed high at the register page, so the user experience expert (this is now a specialty in a college psychology major) suggested changing the "register now" page into a post-checkout "remember me for next time" page.  The new landing page generated $300MM (three hundred million) dollars more.  Each year.  I can live with that.
rgb192Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.