8

In Internet Explorer, for example, you can enable first party cookies, third party cookies and allow session cookies.

I know the difference between:

  • a first party cookie and a third party cookie, and
  • a PHP session and a cookie.

But what is a session cookie? And how can you set one using PHP?

For example, you cannot log into Facebook without cookies enabled. However, if you allow session cookies, you can log into Facebook.

So, how does a session cookie differ from other kinds of cookies?

DavidRR
  • 18,291
  • 25
  • 109
  • 191
jon
  • 1,429
  • 1
  • 23
  • 40
  • One place to start is the info page for the [\[session-cookies\]](https://stackoverflow.com/tags/session-cookies/info) tag. – DavidRR Jan 12 '18 at 13:47

4 Answers4

6

A cookie has a lifetime, after which it will expire (As denoted by the Expires directive). If you don't set a timeout, the browser will expire the cookie when you close the browser. This is called a session cookie.

These kind of cookies are often used to track a users current session state on the server side (E.g. php's sessions), but there is not a strong relation between the two uses of the word "session"

troelskn
  • 115,121
  • 27
  • 131
  • 155
  • This question also interests me. Do you mean there is nothing special in a cookie itself which identified it as a session cookie? A special keyword or something? (found the answer: a session cookie has no `Expires` -- which means your definition is not fully correct) – fge Dec 17 '11 at 20:22
  • thanks troelskn, that appears to be solving my problems.. regards J... can I ask... do sites like faceobok etc.. use these kind of session cookies rather than php_sessions to keep a user logged in, so that it is less intensive of the server? regards J – jon Dec 17 '11 at 20:27
  • @jon Server side state mechanisms (Such as php's sessions) are usually tracked through a session cookie. So in these cases, session cookies are used as a foundation for server side sessions. They are not alternatives. – troelskn Dec 17 '11 at 20:45
3

A session cookie holds the unique identifier that PHP generates when session_start() is called, so that each client can be associated with a session, and no two sessions can have the same ID at the same time.

The session cookie is usually destroyed when the browser window is closed, or can be done manually using session_destroy().

Bojangles
  • 99,427
  • 50
  • 170
  • 208
2

From Wikipedia:

Older definition: (2011-12-17)

A session cookie is created when no Expires directive is provided when the cookie is created.

Latest definition:

A session cookie, also known as an in-memory cookie or transient cookie, exists only in temporary memory while the user navigates the website.[18] Web browsers normally delete session cookies when the user closes the browser.[19] Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.

DavidRR
  • 18,291
  • 25
  • 109
  • 191
fge
  • 119,121
  • 33
  • 254
  • 329
1

In PHP, when you use session_start() it creates a session, this will create a session cookie in the client browser, PHP needs the client to send this info back with each request so that PHP can tell the session ID.

Drahcir
  • 11,772
  • 24
  • 86
  • 128
  • Im not saying you are wrong, however I can still use php sessions and have 1st party cookies disabled and dont allow session cookies... so Im assuming that sessions are stored purely server-side?... regards J – jon Dec 17 '11 at 20:30
  • @jon: The actual session is stored server-side, but there is a reference to the session on the client side. – Drahcir Dec 17 '11 at 20:42
  • Thanks Richard... that is because without the cookie, you would'nt know what session was for what user. – jon Dec 17 '11 at 21:03