Explanation of Cookies and Sessions

[robinrobin]

Could someone please explain to me what the difference is between cookie length and session length?

If i have 60 minutes as "Default login cookies length" and 600 seconds as "Seconds before an unused session timeout", what does that actually mean, practically?

The only thing that this logically could mean to me as a regular user is:

- When i log in, i stay logged in for 60 minutes but are logged out after 600 seconds (10 minutes) of inactivity. I have to log back in again after those 60 minutes has passed regardless of how active i am during that hour.

Is that correct or not?

The reason i ask is because i've been logged out and asked to log back in again when i've been doing administrative tasks, such as add text to the registration-agreement, which actually resets all my work so i have to start over and i would very much not like if my users had to go through the same thing while writing long articles. Very annoying!

Thank you.

[Frieling]

If i remember right a cookie is tracked by the browser you are using and i think in minutes or seconds that is how long it is going to stay there.

[robinrobin]

Thank you Frieling, but i was looking for a bit more verbose explanation than that.

[Arantor]

Cookies are small text files that are sent between browser and server; the server sends it and every subsequent page request of the browser sends it back. The cookie length specifies how long the cookie will live for - after 60 minutes, the cookie will stop going back and forth.

Sessions are data that live on the server, and in theory live for the lifetime of one user's session at a site - a session being an instance of prolonged usage of a site. The cookie is used to help the server find the session for a given user.

The thing is, a session can last longer than the cookie is valid for - and can be shorter.

If you click off the site without logging out, the session data is still present; the site has no way of knowing that you're not visiting, after all you may just be reading a long page. So after 10 minutes the session disappears and you are effectively considered offline at that point.

The session stuff is purely server side, the user never has to see or worry about it. All it really does is limit how long users appear to be online for if they don't keep actively clicking round a site. Cookie length dictates more firmly how long a user will be logged in for - if they go over the 60 minutes, they will be logged out.

Really this isn't so much a support question, more one about SMF and general server architecture - would you prefer this be moved to the Coding Discussion board if you need more information?

[robinrobin]

The difference between cookies and sessions still aren't clear enough to me for me to understand why there is a need for both cookie time and session time.

Next?

[Arantor]

The cookie is passes back and forth between the client and server. The session is only on the server.

The cookie tells the server which session file to use. Without the session the server wouldn't know what cookie to send to the client.

If you don't have a time on the cookie, it will continue until 2038, meaning you will NEVER be logged out. If you don't have a time on the session you will gradually fill your database with sessions until you run out of disk space because every user who visited even only once will leave a session file and it'll be a unique file per user session.

[robinrobin]

Hmm, i think i understand. Thank you, Arantor.

[Arantor]

No problems. I'm marking this topic solved for now but if you want further details please come back and unsolve it, with further questions