Cookies and Sessions are used to store user data and maintain state across multiple requests in web applications. However, they differ in how they store and manage data.
Table of Contents
Cookies
Cookies are small data stored on the client side (browser) and sent to the server with each request.
Key Features of Cookies:
- Stored on the Client: Cookies are saved in the user’s browser and persist even after closing the browser (unless expired).
- Size Limitations: Typically, browsers restrict cookie size to about 4 KB per cookie.
- Expiration Time: Cookies can have an expiration date, making them either session cookies (deleted when the browser closes) or persistent cookies (remain for a set duration).
- Security Risks: Since cookies are stored on the client side, they are vulnerable to theft (via XSS attacks) and modification. Secure cookies can be set using the HttpOnly and Secure flags.
- Usage: Often used for remembering user preferences, authentication tokens, and tracking user activity (e.g., analytics).
Example of Setting a Cookie (Python – Flask)
from flask import Flask, request, make_response
app = Flask(__name__)
@app.route('/set_cookie')
def set_cookie():
response = make_response("Cookie Set")
response.set_cookie('username', 'JohnDoe', max_age=3600) # Expires in 1 hour
return response
@app.route('/get_cookie')
def get_cookie():
username = request.cookies.get('username')
return f'Hello, {username}!' if username else 'No cookie found!'
if __name__ == '__main__':
app.run(debug=True)Sessions
A session stores user-specific data on the server side and assigns a unique session ID (usually stored as a cookie in the client).
Key Features of Sessions:
- Stored on the Server: Unlike cookies, session data is kept on the server, making it more secure.
- Session ID in Cookies: A unique session ID is assigned to each user and stored in a cookie to track their session.
- Automatic Expiration: Sessions expire after a set time or when the user logs out.
- Larger Storage: Since the data is on the server, there’s no size limit (unlike cookies).
- Usage: Used for storing user login states, cart items in e-commerce, and temporary data across requests.
Example of Using Sessions (Python – Flask)
from flask import Flask, session
app = Flask(__name__)
app.secret_key = 'supersecretkey' # Required for session encryption
@app.route('/set_session')
def set_session():
session['username'] = 'JohnDoe'
return "Session set!"
@app.route('/get_session')
def get_session():
return f"Hello, {session['username']}!" if 'username' in session else "No session found!"
if __name__ == '__main__':
app.run(debug=True)
Key Differences Between Cookies and Sessions
| Feature | Cookies | Sessions |
|---|---|---|
| Storage | Client-side (Browser) | Server-side |
| Security | Less secure (can be stolen) | More secure |
| Expiration | Can persist after closing the browser | Ends when the user logs out or after timeout |
| Size Limit | Limited (4 KB per cookie) | No strict size limit |
| Use Cases | Remembering preferences, tracking | Authentication, cart items, sensitive data |
Conclusion
- Use cookies for lightweight, non-sensitive data that needs to persist across sessions.
- Use sessions when storing sensitive or temporary data that should not be exposed to the client.
- For enhanced security, consider HTTP-only cookies for session IDs to prevent JavaScript access.