Skip to content
Learn Netverks

Lesson

Step 25/36 69% through track

sessions-cookies

Sessions and cookies

Last reviewed Jun 1, 2026 Content v20260601
Track mode
server_script
Means
Server runner
Reading
~2 min
Level
intermediate

This lesson

This lesson teaches Sessions and cookies: the syntax, APIs, and habits you need before advancing in PHP.

Stateful web apps still rely on sessions and cookies—misuse causes auth bugs and security findings.

You will apply Sessions and cookies in contexts like: Login flows, shopping carts, and multi-step wizards on traditional server-rendered sites.

Write PHP in the editor and click Run on server—the dev runner executes your script and returns stdout/stderr (set LEARNING_RUNNER_ENABLED=true locally).

When you can explain the previous lesson's ideas without copying starter code.

HTTP is stateless; sessions and cookies let PHP recognize returning users—shopping carts, login state, preferences.

Cookies

Small name/value pairs the server sends via Set-Cookie. Client sends them back on each request. Set with setcookie before output:

setcookie('theme', 'dark', [
    'expires' => time() + 86400 * 30,
    'path' => '/',
    'httponly' => true,
    'samesite' => 'Lax',
    'secure' => true, // HTTPS only
]);

Sessions

session_start();
$_SESSION['user_id'] = 42;
$userId = $_SESSION['user_id'] ?? null;

PHP stores session data server-side (files, Redis, database) and issues a session ID cookie—prefer sessions for sensitive auth state over large client cookies.

Playground note

Session functions may not persist between runner invocations. Study the API; test login flows on a local Apache/Nginx + PHP stack.

Important interview questions and answers

  1. Q: Session vs cookie?
    A: Cookies live on the client (size limits, visible); sessions store data server-side with only an ID cookie on the client.
  2. Q: HttpOnly and Secure flags?
    A: HttpOnly blocks JavaScript access (mitigates XSS cookie theft); Secure sends cookie only over HTTPS.

Self-check

  1. Why call session_start() before reading $_SESSION?
  2. What SameSite=Lax helps prevent?

Pitfall: Never store passwords in cookies—use server sessions for auth state and HttpOnly + Secure flags.

Interview prep

Session vs cookie storage?

Sessions store data server-side with an ID cookie on the client; plain cookies store data on the client—limited size and visible to JS unless HttpOnly.

Interview tip Lesson completion confidence

Can you explain this lesson in 30 seconds without reading notes?

Not saved yet.

Playground

Runs on the configured server runner (dev: npm run runner with LEARNING_RUNNER_ENABLED=true). Output appears below the editor.

Check yourself

Multiple choice — immediate feedback.

Discussion

Past discussion is visible to everyone. Only logged-in users can post comments and replies.

Starter discussion topics

  • Session fixation?
  • HttpOnly cookie?

Sign up or log in to post comments and sync lesson progress across devices.

No discussion yet. Be the first to ask a question.

Jump

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36