Difference Between Session and Cookies (original) (raw)
Last Updated : 12 May, 2026
Web applications often need to store user information such as login details, preferences, and shopping cart data. Sessions and cookies are two commonly used techniques for managing this data and maintaining user state across multiple requests.
- Cookies store data in the user's browser and can persist even after the browser is closed.
- Sessions store data on the server, making them more secure for sensitive information.
- Both sessions and cookies help improve user experience by maintaining continuity between requests.
Session and Cookies
Cookie
Cookies are small data stored on the client side (browser) as key-value pairs. They are commonly used for session management, user preferences, and behaviour tracking. When a user loads a website, the browser sends the stored cookies with the request, allowing the server to track and personalize the user's experience.
Features of Cookies
- **Client-Side Storage: Data is stored in the user's browser, reducing the server's load.
- **Persistence: Can be set to expire after a specific time, allowing data to persist across sessions.
- **Small Storage Size: Limited to 4KB per cookie, making it suitable for lightweight data like preferences and authentication tokens.
- **Security: Can be configured with HttpOnly (to prevent JavaScript access), Secure (to allow only HTTPS), and SameSite (to prevent cross-site attacks).
- **Automatic Transmission: Cookies are automatically sent with every request to the same domain, enabling tracking and authentication.
- **User Tracking: Commonly used for session tracking, remembering login status, and personalization across different visits.
Use Cases of Cookies
- Stores user preferences (e.g., theme, language settings).
- Keep users logged in via authentication tokens (JWT).
- Track website analytics and user behavior.
- Manage shopping cart data in e-commerce websites.
**Example: First you need to install cookie-parser in in your application
npm install cookie-parser
JavaScript `
// app.js const express = require("express"); const cookieParser = require("cookie-parser"); const app = express();
app.use(cookieParser());
app.get("/setCookie", (req, res) => { res.cookie("username", "GeeksForGeeks", { maxAge: 900000, httpOnly: true }); res.send("Cookie set successfully!"); });
app.get("/getCookie", (req, res) => { const username = req.cookies.username; res.send(username ? Username: ${username} : "No cookie found"); });
app.get("/clearCookie", (req, res) => { res.clearCookie("username"); res.send("Cookie deleted successfully!"); });
app.listen(3000, () => { console.log("Server is running on http://localhost:3000"); });
`
**Output
**Explanation: This Express.js program demonstrates cookie management using the cookie-parser middleware. It shows how to create, read, and delete cookies through different routes in a web application.
Session
Sessions in Express enable the server to maintain user-specific data across multiple requests by storing information server-side and associating it with a unique session identifier. This approach allows for persistent user interactions and state management within web applications.
Features of Sessions
- **Server-Side Storage: Stores user data securely on the server instead of the client’s browser.
- **Stateful Authentication: Maintains user login status during a session without storing credentials in cookies.
- **Large Data Storage: Unlike cookies, sessions are not limited to 4KB and can store complex data structures.
- **Automatic Expiration: Sessions expire after a certain period of inactivity or when the user logs out.
- **Session ID in Cookies: A small cookie (session ID) is used to identify the session stored on the server.
- **Security: Since the actual data is on the server, it is more secure than cookies, reducing risks like data tampering or exposure.
Use Cases of Sessions
- Managing user authentication in web applications.
- Storing temporary user data (e.g., items in a cart before checkout).
- Implementing stateful applications where user data persists across multiple pages.
**Example: First you need to install express-session in your application
npm install express-session
JavaScript `
// app.js const express = require('express'); const session = require('express-session'); const app = express();
app.use(session({ secret: 'secret_key', / resave: false, saveUninitialized: true, }));
app.get('/setSession', (req, res) => { req.session.username = 'GeeksForGeeks'; res.send('Session set successfully!'); });
app.get('/getSession', (req, res) => { const username = req.session.username; if (username) { res.send(Username from session: ${username}); } else { res.send('No active session found'); } });
app.get('/destroySession', (req, res) => { req.session.destroy((err) => { if (err) { console.error(err); res.status(500).send('Error destroying session'); } else { res.send('Session destroyed successfully!'); } }); });
app.listen(3000, () => { console.log('Server is running on http://localhost:3000'); });
`
**Output
**Explanation: This Express.js program demonstrates session management using the express-session middleware. It creates a session, retrieves stored session data, and destroys the session through different routes.
Cookies vs Session
| Feature | Cookies | Sessions |
|---|---|---|
| Storage Location | Stored in the user's browser | Stored on the server |
| Security | Less secure | More secure |
| Data Size | Limited storage capacity | Can store larger data |
| Lifetime | Can persist after browser closes | Usually ends after session timeout or browser close |
| Performance | Reduces server load | Uses server memory |
| Accessibility | Accessible from client-side scripts | Accessible only on the server |
| Use Case | Remember preferences or login state | Store sensitive user information |