session vs cookie

blackhorse

So if I can chose from use session or cookie, I would select to use session.

1) there are limitations how many cookies you can use, but if i use session, then I wouldn't have to face the cookie number limitations.

2) session id could be set up to be passed as parameter, so if we set up session id to be passed as parameter it will solve the problem that if the clients doesn't accept cookie, am I missing something here?

Pieman86

Most sessions are cookie-based. PHP just makes setting them easier...

MarkR

You should probably use sessions.

And you should probably use cookies for session persistence (session.use_only_cookies = 1 or something).

The reasons are as follows:

Data in a session are not suceptible to unauthorised modification by the user. For example, you might put $_SESSION['loggedin'] = true, but you'd never set a cookie "loggedin" to "true", because the user could trivially modify that.
As you noted, you can store more data in a session (although storing a LOT of data (many records in an array, or large binary stuff) is probably a bad thing).
PHP's URL-rewriting is both annoying (it does stuff behind your back) and a security risk (session IDs easily leak out to third party sites via referer, session spoofing is pretty easy).

So DO use sessions, and don't use URL-rewriting - use only cookies for sessions - that's the only secure way.

blah.php?sessionid=01231231231231 is a really bad thing and should definitely be avoided.

Mark