Cookies vs Sessions - Discover the Difference and Their Impact on Data Protection
In our recent article, the Ultimate Guide to Website Cookies we set out what cookies are, and why you need to know about them when it comes to complying with legislation and regulation.
We’ve noticed a number of online sources confusing “session variables” and “session cookies”. And, so this article picks up the cookie trail to explain the differences and why it’s important to get it right.
It’s important that you correctly understand how and where data is being stored and/or processed by devices, apps or browsers, as this has an impact on whether you’re compliant with various legislation including the GDPR and the ePrivacy Directive. So, in case you haven’t read last month’s article (and we suggest you do!), let’s quickly recap on a couple of basics.
What is a cookie?
A cookie is a small piece of data that is stored on a user's device, typically when using a web browser or app. They remember information about the user's interactions, preferences or identity. Cookies are a fundamental part of the web, and cookie data is used to enhance the browsing experience by enabling personalised content, site functionality, and tracking of user behaviour across different web pages and sessions.
What is a session cookie?
Cookies in general can either be “temporary” in that they only persist for that specific site visit (also known as a “session”); or “persistant” in that they persist across visits. Session cookies are always temporary cookies and only persist for that active session.
How can you tell the difference between a session cookie and a persistent cookie?
The easiest way to understand the difference is to consider an eCommerce website. If you visit an online store and add something to your basket, the site needs a way to remember what you have put in the basket so that when you leave that product page to look at something else on the website, your selection isn’t lost.
The website developers will have determined whether they want to use a “session cookie”, a “persistent cookie” or perhaps even a “session variable” (more on those in a minute) to store your selection *.
* Note: There are also other methods to perform the same task. For example, if you have an account and have logged in, they may opt to store your selection directly into a database, but for this article we’ll just focus on cookies and variables in isolation of other storage methods.
Let’s now imagine you were doing this shopping during a commute home on a train. Before you had time to complete your transaction, you arrived at your station so you closed the browser completely and got off the train.
Once you arrived home, you opened a new browser window and went back to the same website on the same device, using the same browser. This will start a new “session”.
If the item that you had previously saved into the shopping cart:
- has vanished - the site was potentially using a “session cookie”
- is still saved in the cart - the site was potentially using a “persistent cookie”
(This is an over-simplification, but we have skipped certain aspects in order to keep the explanation simple.)
Alternatively, you can view what type of cookie is being set by checking the data in the browser. For example, in Google Chrome do the following:
1. Right click on the webpage
2. Click on “Inspect”
3. This will open the inspector window. (This will normally be located down the right hand side of the browser, or along the bottom such as seen in the image below)
4. Click on the “Application” tab
5. Click on “Cookies”
6. You will then see all cookies stored on the device via that browser. In the example below, you can see there are a range of cookies being set by different sites. In the Databasix (https://www.dbxuk.com) list, you will see most of the cookies have an expiration date/time set which indicates they are persistent cookies. However, you will also notice one is a session cookie. Session cookies terminate at the end of the session and therefore don’t have an expiry date/time.
The cookies that are listed for you may be different as it depends on how you’re interacting with the site, and what you’ve granted permission for.
What is a session variable, and how is it different from a session cookie?
A session cookie is temporarily stored in the memory of the user’s device (also known as “client side”) whereas data assigned to a session variable is saved in the memory of the server (also known as “server side”).
A session variable is typically used within code scripts to temporarily store (sometimes just for nanoseconds) a value as part of an operation, calculation or function.
For example, a simple function that uses a session variable would be:
company_name = "Databasix UK Ltd"
print("We hope you're enjoying this article by: " + company_name)
Which would write out (or "output
" the following):
"We hope you're enjoying this article from Databasix UK Ltd
"
In the above example, “company_name” is a session variable, which is temporarily assigned the value of “Databasix UK Ltd” so that it can be used elsewhere in a function.
Session variables also have a number of additional benefits. Firstly, they tend to be more secure as the data is both encrypted and stored on the server side so data doesn’t need to be transferred from the client machine to the server or vice versa. In addition, more data can be stored within a session variable.
Are session variables and session cookies GDPR compliant?
Generally speaking, yes. That’s because, as we’ve touched on above, session cookies and session variables are usually reserved for tasks that are critical to the successful function of a website or app. These are normally listed on sites as being “strictly necessary”, “mandatory” or “essential” cookies.
However, it would be possible (but not recommended) to store personal information within a session cookie. This would not be compliant if it could be used to identify an individual.
This is one of the reasons why it’s so important to correctly understand the differences between persistent cookies, session cookies and session variables, as each has a specific purpose, so developers need to choose the right tool for the job.
We can offer bespoke advice and training in this area as the guidance for developers is quite niche and specific. However, as a starting point, they may want to check out our GDPR beginners guide if they’re unfamiliar with the basics of GDPR.
Do you need consent for session variables or session cookies?
Generally speaking, no; for the same reason mentioned above. Session cookies and session variables are usually essential for the correct operation of a website or app, and therefore fall within the scope of the strictly necessary cookies exemption.
Book our live cookie training course today
We trust that you’ve found these articles to be interesting and helpful.
However, nothing quite beats the in-depth learning that can be achieved with our professional training. At Databasix we offer a dedicated “Cookie compliance for website and apps” training course for organisations, specifically tailored to your requirements. Why not contact us today for a friendly, no obligation discussion about how we can help you.