A cookie is mainly used to maintain a certain state on the client side between requests on a specific domain and / or path. A session is mainly used to maintain some server-side state between requests for a specific domain and / or path.
A session is usually supported by a cookie. In PHP, this is a cookie called PHPSESSID and in JSP it is a cookie named JSESSIONID. Both of them contain a long unique autogenous value.
On the server side, there is a mapping between the cookie value and all attached session objects in memory. For each request, it checks the cookie value in the request header and shows the attached session objects from matching, using the cookie value as a key. For each response, it writes a cookie value to the response header. The client, in turn, returns it back to the header of subsequent requests before the expiration of the cookie.
As for authorization / logins, you can put the registered User object in a session on the server side and check each request, if any, and process accordingly. When you log out, you simply delete the User object from the session or terminate the session. In PHP, you can access the $_SESSION session and in Java / JSP with HttpServletRequest#getSession() .
The principle is the same in all other web programming languages.
Balusc
source share