4

I understand the normal application of a persistent cookie vs a session cookie. But if you can specify the expiration time of a session cookie to behave like a persistent cookie and vice-versa. Is there any benefit to using session cookies besides them being obfuscated from the user and the session is stored on the server?

session_set_cookie_params() function allows you to set a specific expiration time for a session. You can set the time in a persistent cookie in the setcookie() function.

I already pulled up the threads Cookie VS Session and Session cookies and persistent cookies, and didn't find my answer.

Community
  • 1
  • 1
White Lotus
  • 353
  • 2
  • 6
  • 16
  • _“`session_set_cookie_params()` function allows you to set a specific expiration time for a session”_ – no, it doesn’t. It allows you to specify how long the cookie that stores the session id should be valid – but this is something different than the actual “session lifetime.” – CBroe Jan 19 '16 at 10:17

1 Answers1

5

But if you can specify the expiration time of a session cookie to behave like a persistent cookie and vice-versa.

Not true, the difference between a session cookie and a persistent cookie is whether or not the an expires value is given. A session cookie can't have an expiration time by definition.

Is there any benefit to using session cookies besides them being obfuscated from the user and the session is stored on the server?

A session ID for something like PHP sessions can be stored in either a session cookie or a persistent cookie, and session cookies can contain other information besides session IDs. They both use the word "session" but are separate things.

A session cookie is the right choice if you want the cookie to disappear when the user closes their browser. A good example is online banking - the cookie that authenticates you should be destroyed when you close the browser so someone can't sneak onto your computer, reopen the browser, and start making transfers. Ever had your facebook status or something like that changed as a prank?

mzulch
  • 1,460
  • 12
  • 14
  • Read the documentation for the `session_set_cookie_params()` and test it out for yourself. You can totally specify a expiration besides when a browser closes. – White Lotus Jan 19 '16 at 07:41
  • That makes it a "persistent cookie" holding a "session ID", confusing terminology, huh? – mzulch Jan 19 '16 at 07:43
  • I wouldn't call it a "persistent cookie" because it is stored on the server. – White Lotus Jan 19 '16 at 07:48
  • Still confusing sessions and cookies. The session data is stored on the server as a file or in a database or redis, etc. The cookie contains an ID which identifies the session to the server so it knows which set of session data to use. – mzulch Jan 19 '16 at 07:50
  • Actually you can specify the session name using the function session_name function and the value using session_id. And that goes back to what I said I already know it's stored on the server. I'm trying to figure if there are any other benefits to a session cookie. From what I'm getting at a session cookie and a persistent cookie can almost imitate each other except the server aspect of a session cookie. – White Lotus Jan 19 '16 at 07:55