For naive programmers the discrimination between session and cookies is usually perplex and sometimes even programming aficionado baffles in term of their internal implementation. General notion is cookies exist on client-side while session are created on server side and this is affirmative but there are some other aspects of this concept should be understood to fully exploit session and cookies capabilities and to take careful and right decision about where to store your confidential data.
First, concise definition would be, session and cookie is used to communicate data between client and server by sending and receiving involved data that become a part of protocol’s header and exchanged throughout the communication. These are used to overcome the problems related to the stateless nature of HTTP. Cookies can persist longer than a single session even if browser is closed contrary to session. In cookie, all stored data for a particular website or domain is exchanged however only session id in sessions.
The first major difference is related to the creation location.Session are created on server-side while cookies are on client-side. But where to keep data and why? The strategy can suggest that the data required more on client side than server side should be in cookies and the data that to and fro rapidly should be in session. Well, this is not entirely true.
The best approach towards where to store data is to view it form the storing and communication technique that must be helpful for system optimization and performance as these two are a goal of every system so the paradigm and anything could hurt these two should be avoided. The data huge in size and could slow the effective communication must not be at client-side as every time request sent to server all stored data in the cookie sent also as a part of it. Conclusively , we must maintain or optimized communication latency.
In the seek of communication latency and talking about small amount of data may be in KBs, can I put my password in cookies as good password’s length could be between 12 to 20 characters and that is manageable but what if my session hacked and intruder gets my password? Here security plays its role. You hardly want your confidential data to transmit over unreliable channel because there could be loophole anywhere between your system and server and if your protocol header snatched you can become another victim of cybercrime. One of the modern security techniques is signing or encrypting cookie with some secret key or hash to make your cookie data more difficult to perceive. Therefore, Second point is to never put your confidential data in cookies unless you have dire desire or it should be encrypted as complex as can.
There are many other reason to decide where to put data with mediocre significance. Like, if you want to implement “Remember me” functionality, it leads you to store data in cookie. Some users are very careful and do not allow any cookie to be created on client side that’s why many popular website preferred to keep data in session. Some websites are cookie less as they keep session ID in query string but it is the least secure methodology as it is prone to be hacked unless it is encrypted nicely.
In the conclusion, there could be many factor that can influence your decision. Above all points should be considers and there could be many more. It is always system architect call to how the system should be design.