What is the difference between server side cookie and client side cookie

Question

What is the difference between creating cookies on the server and on the client  Are these called server side cookies and client side cookies  Is there a way to create cookies that can only be read on the server or on the client

User · Answer

Yes you can create cookies that can only be read on the server-side. These are called "HTTP Only" -cookies, as explained in other answers already
No, there is no way (I know of) to create "cookies" that can be read only on the client-side. Cookies are meant to facilitate client-server communication.
BUT, if you want something LIKE "client-only-cookies" there is a simple answer: Use "Local Storage".

Local Storage is actually syntactically simpler to use than cookies. A good simple summary of cookies vs. local storage can be found at:

https://courses.cs.washington.edu/courses/cse154/12au/lectures/slides/lecture21-client-storage.shtml#slide8

A point: You might use cookies created in JavaScript to store GUI-related things you only need on the client-side. BUT the cookie is sent to the server for EVERY request made, it becomes part of the http-request headers thus making the request contain more data and thus slower to send.

If your page has 50 resources like images and css-files and scripts then the cookie is (typically) sent with each request. More on this in Does every web request send the browser cookies?

Local storage does not have those data-transfer related disadvantages, it sends no data. It is great.

User · Answer

What is the difference between creating cookies on the server and on the client   What you are referring to are the 2 ways in which cookies can be directed to be set on the client  which are   By server By client   browser in most cases    By server  The Set-cookie response header from the server directs the client to set a cookie on that particular domain  The implementation to actually create and store the cookie lies in the browser  For subsequent requests to the same domain  the browser automatically sets the Cookie request header for each request  thereby letting the server have some state to an otherwise stateless HTTP protocol  The Domain and Path cookie attributes are used by the browser to determine which cookies are to be sent to a server  The server only receives name value pairs  and nothing more  By Client  One can create a cookie on the browser using document cookie   cookiename cookievalue  However  if the server does not intend to respond to any random cookie a user creates  then such a cookie serves no purpose   Are these called server side cookies and client side cookies   Cookies always belong to the client  There is no such thing as server side cookie   Is there a way to create cookies that can only be read on the server or on the client   Since reading cookie values are upto the server and client  it depends if either one needs to read the cookie at all  On the client side  by setting the HttpOnly attribute of the cookie  it is possible to prevent scripts   mostly Javscript   from reading your cookies   thereby acting as a defence mechanism against Cookie theft through XSS  but sends the cookie to the intended server only  Therefore  in most of the cases since cookies are used to bring  state    memory of past user events    creating cookies on client side does not add much value  unless one is aware of the cookies the server uses    responds to  References  Wikipedia

User · Answer

All cookies are client and server  There is no difference  A regular cookie can be set server side or client side  The  classic  cookie will be sent back with each request  A cookie that is set by the server  will be sent to the client in a response  The server only sends the cookie when it is explicitly set or changed  while the client sends the cookie on each request    But essentially it s the same cookie   But  behavior can change  A cookie is basically a name value pair  but after the value can be a bunch of semi-colon separated attributes that affect the behavior of the cookie if it is so implemented by the client  or server    Those attributes can be about lifetime  context and various security settings    HTTP-only  is not server-only   One of those attributes can be set by a server to indicate that it s an HTTP-only cookie  This means that the cookie is still sent back and forth  but it won t be available in JavaScript  Do note  though  that the cookie is still there  It s only a built in protection in the browser  but if somebody would use a ridiculously old browser like IE5  or some custom client  they can actually read the cookie   So it seems like there are  server cookies   but there are actually not  Those cookies are still sent to the client  On the client there is no way to prevent a cookie from being sent to the server    Alternatives to achieve  only-ness   If you want to store a value only on the server  or only on the client  then you d need some other kind of storage  like a file or database on the server  or Local Storage on the client

User · Answer

You probably mean the difference between Http Only cookies and their counter part   Http Only cookies cannot be accessed  read from or written to  in client side JavaScript  only server side  If the Http Only flag is not set  or the cookie is created in  client side  JavaScript  the cookie can be read from and written to in  client side  JavaScript as well as server side

User · Answer

HTTP COOKIES  Cookies are key value pairs used by websites to store state information on the browser  Say you have a website  example com   when the browser requests a webpage the website can send cookies to store information on the browser   Browser request example   GET  index html HTTP 1 1 Host  www example com   Example answer from the server   HTTP 1 1 200 OK Content-type  text html Set-Cookie  foo 10 Set-Cookie  bar 20  Expires Fri  30 Sep 2011 11 48 00 GMT     rest  of the response   Here two cookies foo 10 and bar 20 are stored on the browser  The second one will expire on 30 September   In each subsequent request the browser will send the cookies back to the server   GET  spec html HTTP 1 1 Host  www example com Cookie  foo 10  bar 20 Accept        SESSIONS  Server side cookies  Server side cookies are known as  sessions   The website in this case stores a single cookie on the browser containing a unique Session Identifier  Status information  foo 10 and bar 20 above  are stored on the server and the Session Identifier is used to match the request with the data stored on the server   Examples of usage  You can use both sessions and cookies to store  authentication data  user preferences  the content of a chart in an e-commerce website  etc     Pros and Cons  Below pros and cons of the solutions  These are the first that comes to my mind  there are surely others   Cookie Pros    scalability  all the data is stored in the browser so each request can go through a load balancer to different webservers and you have all the information needed to fullfill the request  they can be accessed via javascript on the browser  not being on the server they will survive server restarts  RESTful  requests don t depend on server state   Cookie Cons     storage is limited to 80 KB  20 cookies  4 KB each  secure cookies are not easy to implement  take a look at the paper A secure cookie protocol   Session Pros    generally easier to use  in PHP there s probably not much difference  unlimited storage   Session Cons     more difficult to scale on web server restarts you can lose all sessions or not depending on the implementation not RESTful

[http] What is the difference between server side cookie and client side cookie?

Examples related to http

Examples related to cookies

Examples related to session-cookies