I understand the normal application of a persistent cookie vs a session cookie. But if you can specify the expiration time of a session cookie to behave like a persistent cookie and vice-versa. Is there any benefit to using session cookies besides them being obfuscated from the user and the session is stored on the server?
session_set_cookie_params()
function allows you to set a specific expiration time for a session. You can set the time in a persistent cookie in the setcookie()
function.
I already pulled up the threads
Cookie VS Session and Session cookies and persistent cookies, and didn't find my answer.
But if you can specify the expiration time of a session cookie to
behave like a persistent cookie and vice-versa.
Not true, the difference between a session cookie and a persistent cookie is whether or not the an expires
value is given. A session cookie can't have an expiration time by definition.
Is there any benefit to using session cookies besides them being
obfuscated from the user and the session is stored on the server?
A session ID for something like PHP sessions can be stored in either a session cookie or a persistent cookie, and session cookies can contain other information besides session IDs. They both use the word "session" but are separate things.
A session cookie is the right choice if you want the cookie to disappear when the user closes their browser. A good example is online banking - the cookie that authenticates you should be destroyed when you close the browser so someone can't sneak onto your computer, reopen the browser, and start making transfers. Ever had your facebook status or something like that changed as a prank?