Difference between Cookies and Sessions


 Can anybody please define cookies and sessions and their

differences in detail with reference to rails.

Thank you,

Cookies are stored key/value pairs (with other attributes such as
domain, path and ssl requirements) in the client’s browser. The
specification for them is in the HTTP specification and these can
(generally) be read by backend languages such as Rails or frontend
technologies such as Javascript.

Sessions are an unrestricted storage area for applications, generally
by the backend language only (due to encryption and hash protection with
server side secrets), although they may be stored in their entirety in a
client-side cookie for convenience to avoid “sticky sessions” where
requests have to come back to the same backend server.

Hope this helps.



Andy J. Ruby on Rails, RubyMotion, jQuery Developer & Taekwondo
Dan Instructor
andyjeffries.co.uk +44 7939 164853 @andyjeffries
http://twitter.com/andyjeffries Andy Jeffries

Praveen BK wrote in post #1151760:


 Can anybody please define cookies and sessions and their

differences in detail with reference to rails.

What may be confusing you, that I’ve not seen mentioned yet, is that
session identifiers are stored in cookies. Let me explain by looking at
the process…


  • User Agent (Web Browser)
  • Local storage (Cookies, Local Storage, etc.)
  • User (Person using User Agent)
  • Application (Server side Rails, PHP, ect.)
  1. User enters URL into address bar of User Agent (e.g.
  2. User agent looks up cookies in Local Storage matching domain (e.g.
  3. User agent sends request, with attached cookies, to Application.
  4. Application parses incoming request, extracting any cookies found in
  5. Application searches for session cookie. Goto to #7 if found.
  6. Application creates new session cookie if necessary
  7. Application renders response.
  8. Application attaches all cookies to response.
  9. Application send response to User Agent.
  10. User Agent extracts cookies from response.
  11. User Agent stores cookies from response in Local Storage.

Noticed #6 says “if necessary”. It’s possible to have session-less
requests (i.e session only on demand)

As you can see the “session cookie” is a cookie like any other. It is
nothing more than an opaque identifier used to track a User between
requests. Requests in HTTP are stateless, there is no way to know that
two requests are really part of the same Application session. The
concept of session is at the application layer and not at the protocol
layer (HTTP), which has no notion of application session. To work around
the stateless nature of HTTP we use cookies in order to emulate state.

Session cookies are cookies, but not all cookies are session cookies.
Sometimes you just want to store arbitrary data in the User Agent’s
Local Storage, and have the User Agent send it back to you on subsequent

Session cookies are not to be confused with Rails’s cookie based session
storage. This is also implemented using a cookie, and is separate from
the session identifier cookie. Session storage cookies, of course, have
the same limitations as any other cookie (because they ARE just a
cookie). The limitation of the most concern is the 4K size limit. You
cannot store more that 4K (total) for each Rails session, including the
overhead info Rails puts in the session storage cookie.

Normally this is not a problem since you want to minimize the amount
information you store in a session. A common item for session storage is
the User, so that you can match a specific session to a specific user of
your application. It is important to understand that there is no need to
store the entire User model in the session. All you need to store is the
“id” of the User model so that you can lookup the actual User model on
each request. (Example: session['user_id"] = some_user.id NOT
session[“user”] = some_user)

Hope this helps clear thing up for you.