不是真的 - 两者之间存在巨大差异：一个是服务器端，另一个是客户端。这意味着两件事：

1）Cookie是持久的 - 它们可以超越当前会话的限制。因此，用户可以关闭他的电脑，明天再来，当他连接到您的网站时，cookie仍然可用。这非常适合购物清单等，也适用于低安全性登录（例如本网站）。会话不会持久 - 它们会在不活动或浏览器关闭后过期。

2）会话本质上更安全 - 因为数据不会离开服务器，因此无法在传输过程中或基于客户端的工具（合法或其他方式）截获。这适用于基于财务的登录，信用卡信息等等。



你所谈论的权衡并不是固定的 - 它取决于使用你的应用程序。

在这里你可以获得cookie和会话的所有答案：



cookie和会话之间的关系是什么？ [ ^

I am getting a question, that is cookie is not secure enough and session is eating too much memory, is there a mechanism to do a tradeoff between those two?

I know a little difference between session and cookie, but I really have no idea.

Anyone has idea about this? Thanks in advance!

Not really - there is a huge difference between the two: one is server side, and the other is client side. That means two things:
1) Cookies are persistent - they can survive beyond the limits of the current session. So the user can turn his computer off, come back tomorrow and the cookies are still available when he connects to your site. This is great for shopping lists and so forth, and for low-security logins (such as this site). Sessions are not persistent - they expire after inactivity, or when the browser is closed.
2) Sessions are inherently more secure - because data does not leave the server, so it can't be intercepted, either in transit or by client based tools (legitimate or otherwise). This is good for financial based logins, credit card info, and so forth.

The "tradeoff" you talk about is not a fixed thing - it is down to the use to which your application will be put.

Here you can get all answer of cookie and session:

what is the relation between cookies and session?[^]