Menu Close

When to use $_SESSION vs $_COOKIE


A critical feature in web programming is the ability to seamlessly pass data from one page load to the next. It’s used most commonly when dealing with user logins, but also for passing error messages, shopping carts, etc.

Storing data across pages using PHP is done with two variables in the global scope, called $_SESSION and $_COOKIE, and although accomplishing the same end goal, the both go about it in very different ways. The purpose of this article is to give a brief look into the differences between cookies and sessions, when it’s better to use one versus the other, and the pros and cons of the two.

The difference is in how each store data. Cookies store data locally in the user’s browser, while sessions store data on the webserver.


Session Basics

Sessions are simply server-side cookies each with a corresponding client side cookie that contains only a reference to its server-side counterpart. When a user visits a page, the client sends the reference code to the server, and PHP will then match that reference code to a server-side cookie and load the data in the server’s cookie into the $_SESSION superglobal.


  1. Can store very large amounts of data easily.
  2. Save bandwidth by passing only a reference to the session each pageload. A client-side cookie has to pass all of its data.
  3. Data is stored on the web server. This makes sessions secure, because the data cannot be viewed or edited by the client.


  1. Ends when the browser is closed unless you’ve configured php.ini to extend sessions’ cookie lifetime. Cannot last forever.

Cookie Basics

Cookie data is sent to the web server every page load. PHP reads and stores the value into the $_COOKIE superglobal. When a cookie is created, you can give it a lifespan. After that lifespan runs out, it will expire.


  1. Can last as long as the website needs. They will still be there even if the browser is closed and reopened.
  2. Useful for “remember me” logins
  3. Useful for storing temporary user settings. For example, if a user is browsing a paginated list of items, sorted a certain way, the sorting setting can be stored in a cookie.


  1. Stored in the users filesystem. This means that the user can tamper with it and view it.
  2. Can only store a limited amount of data.
  3. Must pass all data to the webserver each pageload. This takes up more bandwidth.

Cookies in Action

Creating a cookie

The function definition:

bool setcookie ( string name [, string value [, int expire [, string path [, string domain [, int secure]]]]])

    if (!isset($_COOKIE['Ordering'])) {
        setcookie("Ordering", $_POST['ChangeOrdering'], time() + 31536000);

Using a cookie

  echo (isset($_COOKIE[‘ordering’])) ? $_COOKIE[‘ordering’] : ‘cookie value not set’;

Deleting a cookie

<?php setcookie(‘favorite_color’); ?>

Setting a cookie with no value is the same as deleting it. This will not remove the file from the client computer. To do this, you can set the cookie expiration date to a time in the past, and the browser will take care of it.

Sessions in Action

Creating a session

<?php session_start(); ?>

This must be called near the top of your code before any output. When you call this function, PHP will check to see if the user sent a session cookie. If so, it will load the session data into $_SESSION. If not, it will create a new session file on the server and send the ID back to the client.

Setting a value

<?php $_SESSION[‘first_name’] = ‘Brian’; ?>

Reading a session value

<?php echo $_SESSION[‘first_name’]; ?>

Removing session data

<?php unset($_SESSION[‘first_name’]); ?>

Ending a session

<?php session_destroy(); ?>

The Bottom Line

Sessions are cookies where the data is stored on the server. Cookies are stored in the users filesystem (typically in their “Temporary Internet Files” folder). Both have their advantages, but on any given day, you’ll probably find yourself using sessions much more commonly.

PHP Documentation

  1. PHP Manual: Sessions
  2. PHP Manual: Cookies
  3. $_COOKIE





$_COOKIE is set when the page loads, due to the stateless nature of the web. If you want immediate access, you stuff set $_COOKIE['uname'] yourself or use an intermediate variable.

Something like this could work:

if(isset($_COOKIE['uname'])){// get data from cookie for local use
    $uname = $_COOKIE['uname'];}else{// set cookie, local $uname already set
    setcookie('uname', $uname, time()+60*30);}



The cookie isn’t set until the response is sent back to the client, and isn’t available in your PHP until the next request from the client after that.

However, when you set the cookie in your script, you can do:

setcookie('uname', $uname, time()+60*30);
$_COOKIE['uname']= $uname;




You need to set the path value of the cookie to the root of your domain, as per the docs:

setcookie("username", $username, time()+365*24*60*60,'/');

Otherwise, it will be set to the current working directory, which is /PROC/ for your example. So, only scripts in /PROC/ would be able to use that cookie.

Posted in News, Web Development

Leave a Reply

Your email address will not be published. Required fields are marked *