The Difference between Cookies and Sessions

Today, security plays an important role in our internet world. Whether we just casually browse on some shopping websites, or sign in to our bank accounts to check balances, site security should always protect our information privacy and prevents data being leaked.

So… how does the website remember us throughout the whole visit journey without kicking us out to the log in page every time when we click to a different path from the same site after we log in? How does the website protect our privacy in our visits? This is where cookies and sessions come in to play. In this blog, I will list the key differences between using cookies and sessions, and talk about when to use one or the other.

michael_h_reedhotmailcom/Getty Images

What is a cookie? A cookie is a piece of information that a website that stores on the client computer. What is a session? A session is a user specific data record that is stored on the server.

What are the key differences between cookies and sessions?

  • Cookies contain user information on the client side. Sessions contain user information on the server side.
  • Cookies can be used to identify sessions, but not the other way around.
  • Cookies are sent on every request to the same website, whereas session look up will depend the backend application logic.
  • Cookies are supported by all major browsers and have a standardized set of behavior, whereas sessions will generally depend on the backend application framework used or require custom implementation.
  • The official maximum size on a cookie is 4KB whereas in a session, we can store as much data as we like.

Here comes to our last question: when to use cookies and when to use sessions?

For cookies, since http is a stateless protocol, we can track application states by using small pieces of information that is stored on users’ computers. Because cookies’ paths are stored on browsers, users can easily select their personal preferences, and we can also effectively track various pages by different users.

For sessions, because they are usually used to pass values from one page to another, we will tend to store important information such as User IDs on the server, for both security purposes as well as protecting users’ privacy. Sessions are also often used for certain browsers that block cookies. Compared to passing global variables in the URL, sessions wisely store them in a more efficient and more secure way. For example, in an online shopping store application, sessions can easily store shopping cart information with a capacity larger than 4KB.

After reading this blog, I hope it helps you gain a better understanding in knowing the difference between cookies and sessions as well as in choosing when to use one or the other.

Thanks for reading!

Full Stack Software Engineer with Finance Background