- Understanding the difference between a session and a cookie

The HTTP protocol is stateless, which means that the HTTP protocol will not retain certain information, such as a username, password, or items in an users online shopping cart. Sessions or cookies are used to store information about a user, such as their username, password, or items in their online shopping cart. As the user navigates to different in your website, the users information can be obtained from the session or cookie, which produces a stateful experience for the user.


Cookies are stored in the clients web browser.


In this example, a web app is configured to create a cookie named myname, and the cookie will obtain the users name, which is Bugs in this example.


When navigating to different pages on the site, Bugs can be displayed by writing code that will get the value of the cookie called myname,


One of the issues with cookies is that cookies are vulnerable to being manipulated. For example, a cookie could be creaed where the name is Evil Hacker instead of Bugs. While this is trivial when it comes to a users name, cookies could be a significant vulnerability when dealing with an online shopping cart.



There are a few common ways to create a session.

  • Using a cookie
  • Using URL rewriting
  • Using SSL

Just like cookies, a session can be created by first creating a cookie in the clients web browsers. However, unlike a cookie, the data in a session is not stored in the cookie. Instead, the cookie contain a unique session ID number, and this session ID number correlated to a file on the server tha contains information such as username, password, and items in a users online shopping cart.


In this example, the cookie is created in the clients web browser. However, the cookie does not contain Bugs. This is considered more secure, as it will be more difficult (but not necessarily impossible) for a malicious users to craft an attack that compromises the security of your web app.


One potential problem with both cookies is that a web browser can be configured to block cookies.


This will prevent the session from being created. One workaround is for users will need to explicitely allow cookies from the site. By default, cookies are enabled in the browser, because cookies are commonly used across almost every website on the Internet. However, a better solution is to create a session using URL rewriting or SSL.

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 08bc0 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |