Let's go through this:

让我们来看看这个：

Cookiesand sessionsare both ways to preserve the application's state between different requests the browser makes. It's thanks to them that, for instance, you don't need to log in every time you request a page on StackOverflow.

Cookie和会话都是在浏览器发出的不同请求之间保存应用程序状态的两种方式。多亏了他们，例如，您不必每次在StackOverflow上请求页面时都登录。

Cookies

饼干

Cookies are small bits of data, (maximum of 4KB long), which hold data in a key=value pairs:

Cookie 是一小段数据（最大长度为 4KB），将数据保存在键=值对中：

name=value; name2=value2

These are set either by JavaScript, or via the server using an HTTP header.

这些是由JavaScript设置的，或者是通过服务器使用HTTP 标头设置的。

Cookies have an expiry datetime set, example using HTTP headers:

Cookie 设置了到期日期，例如使用 HTTP 标头：

Set-Cookie: name2=value2; Expires=Wed, 19 Jun 2021 10:18:14 GMT

Which would cause the browser to set a cookie named name2with a value of value2, which would expire in about 9 years.

这会导致浏览器设置了一个名为cookie的name2使用的价值value2，这将在到期大约9年。

Cookies are considered highly insecurebecause the user can easily manipulate their content. That's why you should always validate cookie data. Don't assume what you get from a cookie is necessarily what you expect.

Cookie 被认为是高度不安全的，因为用户可以轻松操纵其内容。这就是为什么您应该始终验证 cookie 数据的原因。不要假设您从 cookie 中得到的东西一定是您所期望的。

Cookies are usually used to preserve login state, where a username and a special hash are sent from the browser, and the server checks them against the database to approve access.

Cookie 通常用于保存登录状态，其中从浏览器发送用户名和特殊哈希值，服务器根据数据库检查它们以批准访问。

Cookies are also often used in sessionscreation.

Cookie 也经常用于会话创建。

Sessions

会话

Sessions are slightly different. Each user gets a session ID, which is sent back to the server for validation either by cookieor by GET variable.

会话略有不同。每个用户都会获得一个会话 ID，该ID会通过cookie或GET 变量发送回服务器进行验证。

Sessions are usually short-lived, which makes them ideal in saving temporary state between applications. Sessions also expire once the user closes the browser.

会话通常是短暂的，这使得它们非常适合在应用程序之间保存临时状态。一旦用户关闭浏览器，会话也会过期。

Sessions are considered more secure than cookies because the variables themselves are kept on the server. Here's how it works:

会话被认为比 cookie 更安全，因为变量本身保存在服务器上。这是它的工作原理：

1. Server opens a session (sets a cookie via HTTP header)
2. Server sets a session variable.
3. Client changes page
4. Client sends all cookies, along with the session ID from step 1.
5. Server reads session ID from cookie.
6. Server matches session ID from a list in a database (or memory etc).
7. Server finds a match, reads variables which are now available on $_SESSIONsuperglobal.

1. 服务器打开一个会话（通过 HTTP 标头设置一个 cookie）
2. 服务器设置会话变量。
3. 客户变更页面
4. 客户端发送所有 cookie 以及步骤 1 中的会话 ID。
5. 服务器从 cookie 中读取会话 ID。
6. 服务器从数据库（或内存等）中的列表中匹配会话 ID。
7. 服务器找到匹配项，读取现在可用于$_SESSION超全局变量的变量。

If PHP does not find a match, it will start a new session, and repeat the steps from 1-7.

如果 PHP 没有找到匹配项，它将开始一个新会话，并重复 1-7 的步骤。

You can store sensitive information on a session because it is kept on the server, but be aware that the session ID can still be stolen if the user, let's say, logged in over an insecure WiFi. (An attacker can sniff the cookies, and set it as its own, he won't see the variables themselves, but the server will identify the attacker as the user).

您可以在会话中存储敏感信息，因为它保存在服务器上，但请注意，如果用户通过不安全的 WiFi 登录，会话 ID 仍然可能被盗。（攻击者可以嗅探cookie，并将其设置为自己的，他自己不会看到变量，但服务器会将攻击者识别为用户）。

That's the gist of it. You can learn more on the PHP manual on both subjects.

这就是它的要点。您可以在 PHP 手册中了解有关这两个主题的更多信息。