Quiz Entry - updated: 2026.07.14
What are sessions and how do they differ from cookies?
Sessions keep the data server-side and link it to a client through a session ID carried in a cookie, whereas cookies hold the data itself in the browser.
| Cookies | Sessions |
|---|---|
| Data stored in browser | Data stored on server |
| User can see/modify values | User only sees session ID |
| Limited size (~4KB) | Can store more data |
| Sent with every request | Only ID sent, data looked up |
Sessions are ideal for sensitive data (user ID, permissions) that users shouldn't be able to modify.
Go deeper:
Session (Wikipedia) — server-side vs client-side sessions and how a session ID ties stateless requests together.
OWASP Session Management Cheat Sheet — the canonical guide: session-ID entropy, lifetime, and secure handling.