Cookies and Sessions
Cookies and Sessions
Cookies
Cookies solve the problem of HTTP’s stateless nature. When you first visit a site, you don’t send any cookies. The server responds with a Set-Cookie header. Your browser stores this cookie and sends it back on future requests. This gives HTTP some memory.
Cookies have problems:
- They travel in plain text
- People can change them or attack through them
- They’re limited to 4KB
Sessions
Sessions use cookies differently. Instead of storing data in the cookie itself, they store just a key. The real data lives on the server. When the server gets the session key from the cookie, it looks up the corresponding data.
This server-side data can live in different places—memory, databases, or file systems. The cookie just holds the key that points to where your session data actually sits.