1

I have a vague understanding of the relationship between a session and cookie(s) in php. From my understanding cookie is supposed to aid implementation of session for a client at the server side, But I need clarification on some experiment I conducted today.

<?php
    session_start();
    setcookie("userCookie", "myCookie");
if( isset($_GET["sessName"]) && isset( $_GET["sessValue"] ) ) {
    $_SESSION[filter_input(INPUT_GET, "sessName")] = filter_input(INPUT_GET, "sessValue");
}
foreach ($_SESSION as $sessNames){
    echo $sessNames;
}

?>

<form method="GET">
    <input type="text" name="sessName" placeholder="Session Name">
    <input type="text" name="sessValue" placeholder="Session value">
    <input type="Submit" >
</form>
?>

If I supply a value "foo" into session Name and submit then later delete userCookie from the browser "chrome" the user input will still remain in session. But if I delete "PHPSSID" cookie leaving "userCoookie" from browser, the user input will be lost. This brings me to the question of what practical benefit or use can be acheived in sending a client more than one cookie "PHP started managed cookie from session_start()

Ndifreke
  • 732
  • 1
  • 8
  • 13
  • 2
    $_SESSION != $_COOKIE, it may use a cookie, but it shouldn't be treated like one. – Lawrence Cherone Jan 05 '18 at 23:19
  • The uses differ. [See this](https://stackoverflow.com/questions/6339783/what-is-the-difference-between-sessions-and-cookies-in-php) ... as @LawrenceCherone just mentioned in his comment. – Paul T. Jan 05 '18 at 23:19
  • You should really learn the difference between "session cookies" and other cookies from an online resoiurce, book, etc., instead of asking this community to teach you. – marekful Jan 05 '18 at 23:19
  • I understand that, but in a case where you have more than one cookie in example above, and deleting PHP Cookie from the browser kills the session, what use then is other cookie if PHP can't use it to maintain state – Ndifreke Jan 05 '18 at 23:23
  • A normal cookie would be for holding application state once the browser is closed, like whether to show a welcome message or some menu toggle, or tracking visits etc. Session cookie is for maintaining state across page loads. Look into [JWT](https://jwt.io/) if don't want to use a session. – Lawrence Cherone Jan 05 '18 at 23:26
  • To add to that normal cookies are kinda mute now we have [sessionstorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) and [localstorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) APIs – Lawrence Cherone Jan 05 '18 at 23:29

1 Answers1

0

If you are using $_SESSION you don't need to set any cookie. PHPSSID cookie is used by PHP to keep track of the session.

Lluís Camino
  • 178
  • 3
  • 10
  • Can you check your browser and see how many cookies are from stack overflow? – Ndifreke Jan 05 '18 at 23:27
  • This is not true. Sessions are short-lived, generally persisting only while you're continuously using the site. Cookies can persist for months or years. Cookies are also directly visible to client-side applications, sessions are only on the server. – Barmar Jan 05 '18 at 23:40