cookies vs sessions for php application

Question

what would be better when implementing a php login system sessions or cookies ?

Answer 1

Cookies are stored in the user's browser. Sessions are stored server side.

If you have ANY sensitive information, never put them in a cookie as the user - or someone with access to their computer - can do all kinds of nasty things with them.

If you're making any decisions - like deciding if someone is logged in or has admin access - you can use the cookie but then map it to a session with the interesting/important bits.

Although you can set cookies to expire, since they're stored in the browser, that can always be adjusted by a nefarious user. I've adjusted my own cookies before to never have to log in again. ;) Since sessions are server-side - and don't have to be shared with the user - you can be sure the session expires when you want.

Though you need to be aware of session fixation or replay attacks.. so they're not perfect either.