The concept is storing persistent data across page loads for a web visitor. Cookies store it directly on the client. Sessions use a cookie as a key of sorts, to associate with the data that is stored on the server side.

这个概念是为 Web 访问者跨页面加载存储持久数据。Cookie 将其直接存储在客户端上。会话使用 cookie 作为某种键，以与存储在服务器端的数据相关联。

It is preferred to use sessions because the actual values are hidden from the client, and you control when the data expires and becomes invalid. If it was all based on cookies, a user (or hacker) could manipulate their cookie data and then play requests to your site.

最好使用会话，因为实际值对客户端是隐藏的，并且您可以控制数据何时过期并变为无效。如果这一切都基于 cookie，则用户（或黑客）可以操纵他们的 cookie 数据，然后向您的站点播放请求。

Edit: I don't think there is any advantage to using cookies, other than simplicity. Look at it this way... Does the user have any reason to know their ID#? Typically I would say no, the user has no need for this information. Giving out information should be limited on a need to know basis. What if the user changes his cookie to have a different ID, how will your application respond? It's a security risk.

编辑：除了简单之外，我认为使用 cookie 没有任何优势。这样看……用户有什么理由知道他们的ID#？通常我会说不，用户不需要这些信息。应在需要知道的基础上限制提供信息。如果用户将他的 cookie 更改为具有不同的 ID，您的应用程序将如何响应？这是一个安全风险。

Before sessions were all the rage, I basically had my own implementation. I stored a unique cookie value on the client, and stored my persistent data in the database along with that cookie value. Then on page requests I matched up those values and had my persistent data without letting the client control what that was.

在会话风靡一时之前，我基本上有自己的实现。我在客户端存储了一个唯一的 cookie 值，并将我的持久数据与该 cookie 值一起存储在数据库中。然后在页面请求上，我匹配了这些值并拥有我的持久数据，而不让客户端控制那是什么。

Basic ideas to distinguish between those two.

区分这两者的基本思路。

Session:

会议：

1. IDU is stored on server (i.e. server-side)
2. Safer (because of 1)
3. Expiration can not be set, session variables will be expired when users close the browser. (nowadays it is stored for 24 minutes as default in php)

1. IDU 存储在服务器上（即服务器端）
2. 更安全（因为 1）
3. 不能设置过期时间，会话变量会在用户关闭浏览器时过期。（现在它在 php 中默认存储 24 分钟）

Cookies:

饼干：

1. IDU is stored on web-browser (i.e. client-side)
2. Not very safe, since hackers can reach and get your information (because of 1)
3. Expiration can be set (see setcookies()for more information)

1. IDU 存储在网络浏览器（即客户端）上
2. 不是很安全，因为黑客可以访问并获取您的信息（因为 1）
3. 可以设置过期时间（更多信息请参见setcookies()）

Session is preferred when you need to store short-term information/values, such as variables for calculating, measuring, querying etc.

当您需要存储短期信息/值时，会话是首选，例如用于计算、测量、查询等的变量。

Cookies is preferred when you need to store long-term information/values, such as user's account (so that even when they shutdown the computer for 2 days, their account will still be logged in). I can't think of many examples for cookies since it isn't adopted in most of the situations.

当您需要存储用户帐户等长期信息/值时，首选使用 Cookie（这样即使他们关闭计算机 2 天，他们的帐户仍会登录）。我想不出很多 cookie 的例子，因为它在大多数情况下都没有被采用。

SESSIONS ENDS WHEN USER CLOSES THEIR BROWSER,

COOKIES END DEPENDING ON THE LIFETIME YOU SET FOR IT. SO THEY CAN LAST FOR YEARS

This is the major difference in your choice,

这是您选择的主要区别，

If you want the id to be remembered for long time, then you need to use cookies; otherwise if you just want the website to recognize the user for this visit only then sessions is the way to go.

如果你想让id被长时间记住，那么你需要使用cookies；否则，如果您只是想让网站识别这次访问的用户，那么会话就是要走的路。

Sessions are stored in a file your php server will generate. To remember which file is for which user, php will also set a cookie on the user's browser that holds this session file id so in their next visit php will read this file and reload the session.

会话存储在您的 php 服务器将生成的文件中。为了记住哪个文件是给哪个用户的，php 还会在用户的浏览器上设置一个 cookie 来保存这个会话文件 id，以便在他们下次访问时 php 将读取这个文件并重新加载会话。

Now php by default clears sessions every interval, and also naming convention of session make it auto expire. Also, browsers will not keep the cookie that holds the session id once the browser is closed or the history is cleared.

现在 php 默认在每个时间间隔清除会话，并且会话的命名约定使其自动过期。此外，一旦浏览器关闭或历史记录被清除，浏览器将不会保留保存会话 ID 的 cookie。

It's important to note that nowadays browsers also support another kind of storage engines such as LocalStorage, SessionStorage, and other webdb engines that javascript code can use to save data to your computer to remember you. If you open the javascript console inside Facebook, for example, and type "localStorage" you will see all the variables Facebook uses to remember you without cookies.

需要注意的是，现在的浏览器还支持另一种存储引擎，例如 LocalStorage、SessionStorage 和其他 webdb 引擎，javascript 代码可以使用这些引擎将数据保存到您的计算机以记住您。例如，如果您在 Facebook 中打开 javascript 控制台并键入“localStorage”，您将看到 Facebook 用来在没有 cookie 的情况下记住您的所有变量。

when you save the #ID as the cookie to recognize logged in users, you actually are showing data to users that is not related to them. In addition, if a third party tries to set random IDs as cookie data in their browser, they will be able to convince the server that they are a user while they actually are not. That's a lack of security.

当您将#ID 保存为 cookie 以识别登录用户时，您实际上是在向与他们无关的用户显示数据。此外，如果第三方试图在他们的浏览器中将随机 ID 设置为 cookie 数据，他们将能够说服服务器他们是用户，而实际上他们不是。这就是缺乏安全感。

You have used cookies, and as you said you have already completed most of the project. besides cookie has the privilege of remaining for a long time, while sessions end more quickly. So sessions are not suitable in this case. In reality many famous and popular websites and services use cookie and you can stay logged-in for a long time. But how can you use their method to create a safer log-in process?

您已经使用了 cookie，正如您所说，您已经完成了大部分项目。除了 cookie 有保留很长时间的特权，而 session 结束得更快。所以会话不适合这种情况。实际上，许多著名和流行的网站和服务都使用 cookie，您可以长时间保持登录状态。但是您如何使用他们的方法来创建更安全的登录过程呢？

here's the idea: you can help the way you use cookies: If you use random keys instead of IDs to recognize logged-in users, first, you don't leak your primary data to random users, and second, If you consider the Random key large enough, It will be harder for anyone to guess a key or create a random one. for example you can save a 40 length key like this in User's browser: "KUYTYRFU7987gJHFJ543JHBJHCF5645UYTUYJH54657jguthfn" and it will be less likely for anyone to create the exact key and pretend to be someone else.

这里的想法是：您可以帮助您使用 cookie 的方式：如果您使用随机密钥而不是 ID 来识别登录用户，首先，您不会将主要数据泄露给随机用户，其次，如果您考虑随机密钥足够大，任何人都很难猜测密钥或随机创建密钥。例如，您可以在用户的​​浏览器中保存这样一个长度为 40 的密钥：“KUYTYRFU7987gJHFJ543JHBJHCF5645UYTUYJH54657jguthfn”并且任何人都不太可能创建确切的密钥并假装是其他人。

Actually, session and cookies are not always separate things. Often, but not always, session uses cookies.

实际上，会话和 cookie 并不总是分开的。通常，但并非总是，会话使用 cookie。

There are some good answers to your question in these other questions here. Since your question is specifically about saving the user's IDU (or ID), I don't think it is quite a duplicate of those other questions, but their answers should help you.

在这些其他问题中，您的问题有一些很好的答案。由于您的问题专门针对保存用户的 IDU（或 ID），因此我认为这与其他问题并不完全相同，但他们的回答应该对您有所帮助。

cookies vs session

cookie 与会话

Cache VS Session VS cookies?

缓存 VS 会话 VS cookie？

What is the difference between a Session and a Cookie?

Session 和 Cookie 有什么区别？

Short answer

简答

Rules ordered by priority:

按优先级排序的规则：

• Rule 1. Never trust user input : cookies are not safe. Use sessions for sensitive data.
• Rule 2. If persistent data must remain when the user closes the browser, use cookies.
• Rule 3. If persistent data does not have to remain when the user closes the browser, use sessions.
• Rule 4. Read the detailed answer!

• 规则 1. 永远不要相信用户输入：cookies 是不安全的。对敏感数据使用会话。
• 规则 2. 如果在用户关闭浏览器时必须保留持久数据，请使用 cookie。
• 规则 3. 如果在用户关闭浏览器时不需要保留持久数据，请使用会话。
• 规则4.阅读详细答案！

Detailed answer

详细解答

Cookies

饼干

• Cookies are stored on the client side (in the visitor's browser).
• Cookies are not safe: it's quite easy to read and write cookie contents.
• When using cookies, you have to notify visitors according to european laws (GDPR).
• Expiration can be set, but user or browser can change it.
• Users (or browser) can (be set to) decline the use of cookies.

• Cookie 存储在客户端（在访问者的浏览器中）。
• Cookie 并不安全：读取和写入 Cookie 内容非常容易。
• 使用 cookie 时，您必须根据欧洲法律 (GDPR) 通知访问者。
• 可以设置过期时间，但用户或浏览器可以更改它。
• 用户（或浏览器）可以（设置为）拒绝使用 cookie。

Sessions

会话

• Sessions are stored on the server side.
• Sessions use cookies (see below).
• Sessions are safer than cookies, but not invulnarable.
• Expiration is set in server configuration (php.ini for example).
• Default expiration time is 24 minutes or when the browser is closed.
• Expiration is reset when the user refreshes or loads a new page.
• Users (or browser) can (be set to) decline the use of cookies, therefore sessions.
• Legally, you also have to notify visitors for the cookie, but the lack of precedent is not clear yet.

• 会话存储在服务器端。
• 会话使用 cookie（见下文）。
• 会话比 cookie 更安全，但并非无懈可击。
• 到期时间在服务器配置中设置（例如 php.ini）。
• 默认过期时间为 24 分钟或浏览器关闭时。
• 当用户刷新或加载新页面时会重置过期时间。
• 用户（或浏览器）可以（设置为）拒绝使用 cookie，从而拒绝会话。
• 从法律上讲，您还必须通知访问者获取 cookie，但尚不清楚是否有先例。

The appropriate choice

合适的选择

Sessions use a cookie!Session data is stored on the server side, but a UID is stored on client side in a cookie. It allows the server to match a given user with the right session data. UID is protected and hard to hack, but not invulnarable. For sensitive actions (changing email or resetting password), do not rely on sessions neither cookies : ask for the user password to confirm the action.

会话使用cookie！会话数据存储在服务器端，但 UID 存储在客户端的 cookie 中。它允许服务器将给定的用户与正确的会话数据进行匹配。UID 受保护且难以破解，但并非无懈可击。对于敏感操作（更改电子邮件或重置密码），不要依赖会话和 cookie：要求输入用户密码以确认操作。

Sensitive datashould never be stored in cookies (emails, encrypted passwords, personal data ...). Keep in mind the data are stored on a foreign computer, and if the computer is not private (classroom or public computers) someone else can potentially read the cookies content.

敏感数据不应存储在 cookie（电子邮件、加密密码、个人数据……）中。请记住，数据存储在外国计算机上，如果计算机不是私人计算机（教室或公共计算机），其他人可能会读取 cookie 内容。

Remember-medata must be stored in cookies, otherwise data will be lost when the user closes the browser. However, don't save password or user personal data in the 'remember-me' cookie. Store user data in database and link this data with an encrypted pair of ID / key stored in a cookie.

记住我的数据必须存储在cookies中，否则用户关闭浏览器时数据会丢失。但是，请勿在“记住我”cookie 中保存密码或用户个人数据。将用户数据存储在数据库中，并将此数据与存储在 cookie 中的加密 ID/密钥对链接。

After considering the previous recommandations, the following question is finally what helps you choosing between cookies and sessions:

在考虑了之前的建议之后，以下问题最终可以帮助您在 cookie 和会话之间进行选择：

Must persistent data remain when the user closes the browser ?

用户关闭浏览器时必须保留持久数据吗？

• If the answer is yes, use cookies.
• If the answer is no, use sessions.

• 如果答案是肯定的，请使用cookie。
• 如果答案是否定的，请使用会话。

Source : https://www.lucidar.me/en/web-dev/sessions-or-cookies/

来源：https: //www.lucidar.me/en/web-dev/sessions-or-cookies/

I personally use both cookies and session.

我个人同时使用 cookie 和 session。

Cookies only used when user click on "remember me"checkbox. and also cookies are encryptedand data only decrypton the server. If anyone tries to edit cookies our decrypter able to detect it and refuse the request.

Cookie 仅在用户单击“记住我”复选框时使用。并且 cookie 是加密的，数据只能在服务器上解密。如果有人试图编辑 cookie，我们的解密器能够检测到它并拒绝请求。

I have seen so many sites where login info are stored in cookies, anyone can just simply change the user's id and username in cookies to access anyone account.

我见过很多网站的登录信息存储在 cookie 中，任何人都可以简单地在 cookie 中更改用户的 id 和用户名来访问任何帐户。

Thanks,

谢谢，

Session and Cookie are not a same.

Session 和 Cookie 不一样。

A session is used to store the information from the web pages. Normally web pages don't have any memories to store these information. But using we can save the necessary information.

会话用于存储来自网页的信息。通常网页没有任何记忆来存储这些信息。但是使用我们可以保存必要的信息。

But Cookie is used to identifying the users. Using cookie we can store the data's. It is a small part of data which will store in user web browser. So whenever user browse next time browser send back the cookie data information to server for getting the previous activities.

但是Cookie是用来识别用户的。使用cookie，我们可以存储数据。它是将存储在用户 Web 浏览器中的一小部分数据。因此，每当用户下次浏览时，浏览器都会将 cookie 数据信息发送回服务器以获取以前的活动。

Credits : Session and Cookie

积分：会话和 Cookie

Sessions allow you to store away individual pieces of information just like with cookies, but the data gets stored on the server instead of the client.

会话允许您像使用 cookie 一样存储单独的信息片段，但数据存储在服务器而不是客户端上。

As others said, Sessions are clever and has more advantage of hiding the information from the client.

正如其他人所说，Sessions 很聪明，并且在向客户端隐藏信息方面具有更多优势。

But Cookie still has at least one advantage, you can access your Cookies from Javascript(For example ngCookies). With PHP session you can't access it anywhere outside PHP script.

但是 Cookie 仍然至少有一个优势，您可以从 Javascript 访问您的 Cookie（例如ngCookies）。使用 PHP 会话，您无法在 PHP 脚本之外的任何地方访问它。