Thursday, 19 September 2024

Differences using Session and Cookie

1. Session

Imagine you're going to a theme park. When you enter, they give you a special wristband with a number on it. This wristband helps the park remember who you are and what you've done, like what rides you've been on or what snacks you've bought. Even if you leave the ride and come back later, the wristband helps the park know it's still you.

In PHP, a session works like that wristband. When you visit a website, the website gives you a little "wristband" called a session ID. This session helps the website remember things about you, like your username or the items in your shopping cart, as you move around the site.

Even if you go to a different page on the website, it still knows who you are because of the session. Once you're done and leave the site (or after some time), the session is over, like when you leave the park and return the wristband.

So, sessions in PHP are a way for websites to remember who you are as you browse.

====================================================================

1. How Sessions Work: Expiration and Deletion

In PHP (and Laravel), sessions are temporary. They last only as long as they're active. Here’s what happens:

  • Session While Browsing: When you're actively browsing a website, a session keeps track of you using the session ID (stored in a cookie).

  • Session Timeout: If you're inactive for a certain amount of time (called the session lifetime), the session will expire. This is like the server saying, "This user hasn't done anything in a while, so I'll forget about them."

  • Session on Leaving: If you close the browser or leave the site:

    • The session may still remain on the server for a while, but it depends on the session lifetime setting.
    • In some cases, the session will be deleted automatically when you close the browser, especially if the session cookie is a "session cookie" (meaning it only lives while the browser is open).

2. Session Lifetime in Laravel

In Laravel, session lifetimes are configurable. You can control how long the session stays active after a user has left or been inactive.

// In config/session.php
'lifetime' => 120, // Number of minutes a session will be kept alive if no activity.
'expire_on_close' => false, // If true, the session will end when the user closes their browser.

  • lifetime: This setting determines how long (in minutes) a session will be kept alive if there's no user activity. For example, if set to 120 minutes, the session will expire 2 hours after the user’s last action.

  • expire_on_close: If this is set to true, the session will expire as soon as the user closes the browser (the browser will delete the session_id store in cookie). This is useful for extra security (like on banking websites), where you want the user to re-authenticate every time they come back. 

    When expire_on_close is set to false, PHP assigns a cookie with a specific lifetime, meaning the session cookie (containing the session ID) will be stored on disk and persist even after the browser is closed.

3. What Happens When the Session Expires or the User Leaves?

  • When the session expires (due to inactivity or closing the browser if expire_on_close is set to true, the browser will delete the session_id store in cookie), Laravel will no longer recognize the user. If they revisit the site, they'll get a new session.

  • For example, if a user was logged in, they'll have to log in again because the session data (like their login status) has been cleared.

4. Cookie vs. Session

  • Session ID (stored in a cookie): This is temporary and tied to the session's lifetime. Once the session expires or is deleted, the session ID becomes invalid.

  • Regular Cookie: Unlike a session, a regular cookie can be set to persist even after you leave the site. So, the website might store some user preferences or remember your login using a persistent cookie.

To Summarize:

  • Sessions are temporary and can expire either after a period of inactivity or when the user leaves (if configured that way).
  • The session may be deleted when you leave, especially if expire_on_close is true.
  • Cookies (specifically, session cookies) store the session ID and are tied to the session's lifetime. If the session expires, the server will "forget" you.

#############################################################################

2. Cookie

Imagine you visit a bakery, and they give you a little note with your favorite cookie order written on it. The next time you come back to the bakery, you hand them the note, and they know exactly what you like without asking again.

A cookie in web development works like that little note. When you visit a website, it can give your browser a small file (the cookie) with some information in it, like your preferences or if you're logged in. The next time you visit the same website, your browser sends that cookie back to the site, so it knows who you are and remembers things about you.

Unlike sessions (which disappear when you leave the site or after a short time), cookies can last much longer. They can stay on your computer for days, weeks, or even months, depending on how they’re set.

So, in simple terms:

  • A cookie is like a note that helps websites remember you when you come back, even after a long time.
  • A session is more like a wristband that remembers you while you're on the website but usually forgets after you leave. 

====================================================================

Let’s break down how cookies work in Laravel and how the server remembers users with them!

1. What Is a Cookie?

A cookie is a small piece of data sent from the server to the user's browser. The browser stores this data and sends it back to the server with each subsequent request. Cookies can store information like:

  • User preferences
  • Session IDs
  • Login tokens

2. How Laravel Uses Cookies to Remember Users

Laravel doesn't store all session or user data directly in the cookie. Instead, it stores an identifier (like a session ID or a token) in the cookie, and the actual data is kept on the server. Here’s how Laravel remembers the user:

3. Step-by-Step Flow: Remembering Users with Cookies

a. User Makes a Request to Laravel:

When a user first visits a Laravel application, the application doesn't yet know who the user is, so Laravel generates a new session.

b. Laravel Sets a Cookie with the Session ID:

Laravel creates a unique session ID and sends it to the user's browser in a cookie. This cookie is named something like laravel_session. For example:

Set-Cookie: laravel_session=abcdef123456789; Path=/; HttpOnly
  • The cookie only contains the session ID (not sensitive data).
  • It’s sent back to the browser along with the response.

c. Storing Session Data on the Server:

Depending on the session driver (e.g., file, database, Redis), Laravel stores the session data on the server. For example, if using the file driver, Laravel saves session data as a file on the server with the session ID as its identifier.

d. User Makes Another Request:

When the user clicks another link or performs any action on the site, the browser automatically sends the cookie (with the session ID) back to the server.

e. Laravel Retrieves the Session Data:

When the server receives the session ID from the cookie, Laravel looks for the session data associated with that ID in its storage (like the session file, database, etc.). Based on that data, Laravel can remember the user and their actions (like being logged in or what's in their shopping cart).

f. Session Keeps Going:

As long as the session is valid (not expired), Laravel will continue to retrieve session data using the session ID stored in the cookie, keeping track of the user’s state across different pages.

4. Example Scenario: User Login

Let’s say a user logs into a Laravel application:

  • After logging in, Laravel stores the user’s ID (or other relevant data) in the session.
  • A cookie containing the session ID is sent to the user's browser.
  • On subsequent requests, the cookie with the session ID is sent back to the server, and Laravel retrieves the logged-in user’s data using that ID.
  • This is how the application "remembers" that the user is logged in without needing to re-authenticate on every page.

5. Security Features:

Laravel ensures cookies and sessions are secure:

  • HttpOnly: Cookies can't be accessed via JavaScript (which prevents some XSS attacks).
  • Encryption: Laravel encrypts cookies to protect sensitive data.
  • Session Management: Laravel can manage session lifetimes, ensuring they expire after a period of inactivity.

Summary:

  • Cookie: Stores only a session ID or token.
  • Server: Stores actual session data (based on the session driver like file or Redis).
  • Remembering Users: Laravel checks the session ID from the cookie, retrieves session data from the server, and "remembers" the user on subsequent requests.

Thank you

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Golang Advanced Interview Q&A

  • VPS
    Dynamic Page for VPS - Search with VPS      - Label with Laravel Posts For VPS - Deployer for deploy PHP project - How to install Supervisor...
  • Sitemap
    Backend Laravel | Symfony | PHP | AdonisJs | NodeJs | PostgreSQL | MySql | Redis | Ec-Cube | Frontend JavaScript | Ty...
  • Deployment Laravel with Nginx, SSL with Lets Encrypt
    In this tutorial, i build vps for subdomain api.example.com 1. Access your Vps ssh user@ip 2. Install PHP 8.1 sudo add-apt-repository ppa:on...