Cookies - A Tutorial by Kyle McIntyre Valid XHTML 1.0!
First time here? Welcome to the site! A log of this visit has been recorded using cookies. Refresh the page to see cookies in action!
What are Cookies? | Why are Cookies Useful? | Examples | Cookies And Sessions | Security Concerns

Cookies and Sessions

For beginning web developers, there is usually some confusion surrounding cookies, sessions, and how they relate. Cookies and Sessions are different technologies, but they facilitate one another greatly. As we know, a Cookie is a file stored on a user's local machine that stores a single piece of information in the form of a key-value pair. Cookies are sent back to the site that set them on subsequent visits from that machine.

Sessions are stored and managed on the server. All of the visits a user makes to a website from the same browser window are said to be part of the same session. For instance, if a user with the IP address 127.0.0.1 visits the xyz.com server for the first time, a new session is created that is associated with his or her IP address. Subsequent visits to xyz.com will be associated with the same session until the browser is closed. If the browser is closed and the user returns to xyz.com, then a new session is started and the previous session is either gone from the server or has become inaccessible. However, since HTTP is a stateless protocol, there is no way of knowing if the user has closed the browser window (and the session should be deleted) or if the user is just taking a long time to proceed to the next page. Thus, sessions typically timeout after a certain period of inactivity. Once a session times out, it is removed from the server.

Some web technologies such as JSP perform session management implicitly. Other technologies, such as PHP, require the web page to explicitly start and handle sessions. Both of these technologies, however, allow the user to associate auxilary data with a particular session. Such data is referred to as a session variable. Session variables are infinitely useful to web developers because like cookies, they allow a website to conform to a particular user. The advantage of session variables over cookies is that they are stored on the server and are thus inherently safer to use.

So how are cookies and sessions related? In theory sessions should be able to operate on their own when it comes to recognizing users, since each session is associated with an IP address that could be compared against the IP address of visiting users. If a match was found, the appropriate sessions variables could be applied. However, in practice most technologies assign each session object a session ID that users must provide in order to associate themselves with a particular session object. Session IDs can be assigned to users and propogated through GET and POST variables, as well as everyone's favorite, cookies.

Using cookies to store session ID's is one of the most common usages of cookies today. This allows a web application to retain most of its information about a user on the server while still providing users with a tailored web experience by recognizing them from one page load to the next. Thus, cookies and sessions create what some might call the Zen of web development. However, developers must be aware that if a user has cookies disabled, he or she will be unable to use the site properly. Thus, GET and POST variables are still used by some applications.

Security Concerns

Email: mcintyr@cs.montana.edu   Last Updated: June 8th, 2005