PHP sessions vs cookies
We've all been taught that HTTP is stateless, any data we store is forgotten after the page is sent to the client and the connection is closed. Eventually, Netscape put cookie as a solution, information that a web site could store on the client's machine that were sent back to the web site each time a new page was requested. Each cookie could only be read by the web site that had written it, meaning that it was a secure way to store information across pages. Cookies earned a bad name at first because they allowed people to track how often a visitor came to their site, what they did on the site, and many people believed that cookies signaled the end of privacy on the web.
Sessions were the new and improved version of cookies. It is way of storing data on the server side, since the main problem of storing anything sensitive on clients' machines is that the information can be tamper with. In order to set up a unique identifier on the client, sessions still use a small cookie, this cookie just holds a value that uniquely identifies the client to the server, and corresponds to a data file on the server. Both cookies and sessions are available to you as a PHP developer, and both accomplish the similar task of storing data across pages on your site. However, there are differences between the two that will make each favorable in their own circumstance.
Security
Storing sensitive information is more secure using sessions since the data is stored on the server. Cookies, on the other hand, since it is held on the client side, data can be easily manipulated. Cookies also send their data every time the client make server requests such as reloading the page or going to another page. Sessions, on the other hand, only send the session ID to the server so sensitive information is not constantly being sent. This short coming can be mitigated by encrypting cookie data. Session data is also deleted when the browser is closed or the user leaves the site. Cookie data, on the other hand, can keep the data for months or years, depending on what expiration was used when the cookie was created.
Storage
Since cookies send data every time a page is loaded, cookies have a limit to the amount of data the cookies can hold. Usually, this limit is about 4K. Sessions don't have this limitation because only the ID is sent with page requests. The amount of data sessions can hold is limited by the storage available to the server. Cookies can only hold string data where as sessions can hold any type of data as long as it is serializable. Cookies can be set to a long lifespan, which means that data stored in a cookie can be stored for months or years. Since cookies, store the data on the client, it works smoothly when we have a cluster of web servers, whereas session data is stored on the server, meaning in one of our web servers handles the first request, the other web servers in our cluster will not have the stored information.
Bandwidth
Sessions are stored on the server, which means clients do not have access to the information you store about them. This is important if we store information that we don't want visitors to be able to modify the data. Session data does not need to be sent with each page. Clients just need to send an ID and the data is loaded from the local file. Finally, sessions can be any size you want because they are held on your server, whereas many web browsers have a limit on how big cookies can be to stop malicious web sites from using data with meaningless cookie information.
Both cookies and sessions have their own advantages, but at the end of the day it usually comes down one choice: do we want our data to work when you visitor comes back the next day? If so, then your only choice is cookies. If we have any sensitive information, our best bet is to store it in a database, then use the cookie to store an ID number to reference the data. If we do not need semi permanent data, then sessions are generally preferred, as they are a little easier to use, do not require their data to be sent in entirety with each page, and are also cleaned up as soon as your visitor closes their web browser.