Menu
I'm just wondering. What's the difference in PHP between setting a cookie without expiration (meaning it expires as the browser closes) and setting a session variable. I'm not talking about login and stuff like that; rather not needing to fetch less-frequently changes database values on every page visit, etc.
444
P.S: you can protect your cookies even more by using http_only cookies. For PHP you could read http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html. I forgot to do for this session example, but did use it for cookie example :(. When you use this your cookies can not be read from JavaScript with most browsers(that support http_only). To use http_only cookie for your session: ini_set("session.cookie_httponly", 1);
What's the difference in PHP between setting a cookie without expiration (meaning it expires as the browser closes) and setting a session variable
They can keep track of the same information, but with cookies(not using session) all information is stored on user/webbrowser which can be stolen by hackers or even altered to provide false information. For simple things you could use cookies, but then again I think you could also use sessions, because when you use cookie you need to transmit more information over the wire.
The internet(HTTP) standard is a stateless protocol(no memory) which has the advantage that it simplifies server design. The internet uses cookie to make it "remember".
Sessions only use cookie to store PHPSESSID inside cookie. Standard the rest of the information is stored on disc which is more secure way to keep state (store sensitive information). You could also encrypt your cookie to do this, but I think sessions is are nice way to do this.
You can override this behaviour and probably should when your website has high traffic to use something like memcached/redis to just store the session information inside memory(Memory is a lot faster than spinning disc to read file because memory also has no moving parts and is very close to CPU). For this to do you need to override session_set_save_handler. It is pretty easy to do with redis. To install redis just type make. Predis is the recommended(popular) redis client library for PHP. To save session information inside redis you could use redis-session-php.
I created a really simple php file to demonstrate sessions.
<?php
session_start();
if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
}
echo $_SESSION['count']++;
I am using Linux Ubuntu below.
alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl http://localhost/stackoverflow/6717214/session.php -v -c cookie
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/session.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 12:13:43 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Added cookie PHPSESSID="eauo6se9o34oegs57nuhs5u3b7" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=eauo6se9o34oegs57nuhs5u3b7; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
0
-v: Make the operation more talkative-c: Write cookies to this file after operationNext we show output cookie created by our session
alfred@alfred-laptop:~/www/stackoverflow/6717214$ cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
localhost FALSE / FALSE 0 PHPSESSID d5jfijp8515pbhnoe43v4rau97
Standard PHP uses the file-system to store data belonging to session(PHPSESSID).For me the files are located at /var/lib/php5
alfred@alfred-laptop:~/www/stackoverflow/6717214$ php -r "echo session_save_path();"
/var/lib/php5
As you can see it stores that information inside file sess_d5jfijp8515pbhnoe43v4rau97. It is using serialize under the cover to convert object to string.
alfred@alfred-laptop:/var/lib/php5$ sudo cat sess_d5jfijp8515pbhnoe43v4rau97
count|i:1;
I need to sudo because I can standard not read from that location
alfred@alfred-laptop:/var/lib$ sudo ls -la /var/lib/ | grep php5
drwx-wx-wt 2 root root 4096 2011-07-16 14:16 php5
The read bit has not been set for that directory
alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -v -b cookie http://localhost/stackoverflow/6717214/session.php
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/session.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> Cookie: PHPSESSID=d5jfijp8515pbhnoe43v4rau97
>
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 12:28:59 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
1
-b: Cookie string or file to read cookies fromAs you can see we can count without storing any of that information inside cookie. We use the same cookie to remember our state. You can also see that the information on disc has changed to reflect this.
alfred@alfred-laptop:~/www/stackoverflow/6717214$ sudo cat /var/lib/php5/sess_d5jfijp8515pbhnoe43v4rau97
count|i:2;
When just using cookies everything is stored on the users computer.
<?php
$counter = 0;
if (isset($_COOKIE['counter'])) {
$counter = $_COOKIE['counter'] + 1;
}
setCookie("counter", $counter, NULL, NULL, NULL, NULL, TRUE);
echo $counter;
alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -c cookie -v http://localhost/stackoverflow/6717214/cookie.php
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/cookie.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 13:22:03 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Added cookie counter="0" for domain localhost, path /stackoverflow/6717214/, expire 0
< Set-Cookie: counter=0; httponly
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
0
When we output cookie we get:
alfred@alfred-laptop:~/www/stackoverflow/6717214$ cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
#HttpOnly_localhost FALSE /stackoverflow/6717214/ FALSE 0 counter0
As you can see everything is stored inside the cookie and sent over the wire.
alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -b cookie -c cookie -v htp://localhost/stackoverflow/6717214/cookie.php
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/cookie.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> Cookie: counter=0
>
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 13:32:24 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Replaced cookie counter="1" for domain localhost, path /stackoverflow/6717214/, expire 0
< Set-Cookie: counter=1; httponly
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
