What is the difference between a Drupal session variable and a cookie?

Question

When you set a Drupal session variable (i.e. a "magic" variable you may set like this):

$_SESSION['mymodule'] = array('key' => 'value');

the value goes away when the user logs out.

If you set a cookie, using the function

user_cookie_save(array('key'=>'value'))

the value saved survives the user session.

However, I wonder if they just two of a kind (i.e. a Drupal session variable is just a cookie, but with the lifetime restricted to the duration of a the session.

Or is a Drupal session variable not implemented using a session cookie?

Answer 1

Seeing this has two votes, I'll try to explain it.

Drupal uses the built-in PHP session mechanism, which as you rightly suspect is based on a cookie. The cookie name is SESS followed by a long string of characters, and its value is another long string of characters. PHP detects this cookie and makes it available to Drupal's session implementation, which by default uses the database table sessions for storage, with the value of the cookie as the key sid.

The session entry also records the user ID: early in the Drupal bootstrap sequence the session is loaded and then the corresponding user object, which is subsequently used to govern access to resources, based on the user's roles and other attributes.

Data stored in the PHP global array $_SESSION is automatically saved to the current session's database entry by Drupal at the end of a page request. This is typically used to store relatively transient data such as items in a shopping cart.

Other cookies can be saved and retrieved in code (including JavaScript) and they will not be affected by logout unless you specifically write code to delete them when that happens. Confusingly, cookies with an expiry time of 0 are also often termed "session cookies" - these are deleted when you shut down your browser.

There's a lot more that could be said and I'll add some good references when I have a chance.