In Web programming, HTTP is stateless, so that by default HTTP won’t allow you to share user’s data across pages.

Cookie and Session is the most basic technique of storing persistent data across page loads for a web visitor. There are much other storage like local storage, session storage, Indexed SQL, Web SQL, and more in the future, I’ll leave them in another post.

Cookies:

• Cookies store data directly on the client (Web Browser).
• Cookies are a key-value store in the Web Browser.
• Cookies can be defined (and retrieved) on the client via Javascript or on the server via HTTP Response headers.
• Cookies will be attached to the HTTP request automatically

Session:

• Sessions are stored on the Server side (Web Server)
• Sessions are a key-value store on the Server side
• Sessions can only be defined (and retrieved) on Server
• Sessions will be generated a Session-ID. This session-id will be sent back to the client to store in Cookie (mostly). When web-server receive a HTTP request from Client, I’ll use session-id to indicate which session store to be used.

It’s all about storing user’s data. Why don’t we use only Cookie or Session?

• Cookies are stored in the client in clear text -> It’s not safe to store sensitive data (phone number, card number,…)
• Cookies are stored in client -> It’s possible for hackers to modify request’data for a bad purpose (change user id to submit an unwanted request…)
• Cookies are stored in client -> It’s possible to retrieve data from client site without asking data from server -> speed up the page load
• Cookies are attached in HTTP Request (automatically) -> If we store too much data, HTTP request size will be bigger-> It will slow down the request.

• Sessions are stored in server -> It’s safe to store sensitive data  and hackers can’t modify your session data
• Sessions are stored in server -> It’s impossible to retrieve data from client site without asking data from server -> slow down the page load
• Sessions in regular web-hosting have their own time-out (5 mins – 20 mins), after the timeout your session will be clear
• Session make your Web-Farm be more complex & harder to maintain. In web-farm, there are more than 1 web-server, so that you need a central session server to share session data across web server. It’ll be more complex & your request would be slowed down a little bit (In this case, we can consider to use Token-based authentication to store user’s data)