PHP session or cookie

Question

What's best way to keep user logged on a PHP-powered site until he closes his browser?

The first and the most popular way is to go with $_SESSION. The second is to pass zero as the third argument of setcookie function: setcookie(name, value, 0, domain);

Answer 1

As PHP session actually stores the SID by cookie (of course you can use other ways to set the SID if you like), there would not be much difference when simply using them.

The main difference is security, because if you use cookies directly clients can see and/or edit them themselves, but for session the data is stored on the server side so client cannot access directly.

So if the data only lasts for that session, I prefer using session.

Side-note: if you use multiple servers to balance the load you should be extremely careful because session data is stored locally on the server by default. It is possible to share session data across multiple servers but this is beyond the scope of this question. Alternatively, you can store data in a database.

Answer 2

cookie is limited for each domain you can set 20 cookies and max size of each is 4kb

Answer 3

You should use $_SESSION

Because if cookies are enabled, then a cookie will be used anyway for the PHP session identifier. So writing another cookie is not optimal.

The only reason you would want to use a cookie instead of session, is if you want to take care of load balancing. So if you have 2 servers and one of them fails, the session on that server will be lost. Now the logged in user (who had session on server 1) will be asked to login again. But if he had a cookie instead, he would not be asked to login again.

Answer 4

I suggest you go for PHP sessions. Its simple and you do not have to deal with cookies on your own.

The below is the code to truly destroy a session, copy-pasted from the example given in the PHP manual.

// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();

About your question:

What's better to use to keep user logged in until he closes his browser?

There is no fail-proof way of determining when the user has closed the browser. One approach is to continuously keep sending small AJAX requests to the server. When no requests are seen for an extended period of time, destroy the session.

Another approach is to listen for DOM Window unload and send a request to the server to destroy the session.

Answer 5

I would use $_SESSION as its easier. :P Anyway as mentioned above, decide your case..if you need to keep user logged in for a while even after the browser has been closed use cookie but properly. It can be a security threat to you! else use session.

Answer 6

"Sessions are not reliant on the user allowing a cookie. They work instead like a token allowing access and passing information while the user has their browser open. The problem with sessions is that when you close your browser you also lose the session. So, if you had a site requiring a login, this couldn't be saved as a session like it could as a cookie, and the user would be forced to re-login every time they visit.

You can of course get the best of both worlds! Once you know what each does, you can use a combination of cookies and sessions to make your site work exactly the way you want it to."

http://php.about.com/od/learnphp/qt/session_cookie.htm

Answer 7

A session is meant for this purpose, so I would go with that.