What is a cookie? Sometimes it becomes necessary to track certain user details like (No. Of Visits, names, last visit, etc). The client machine stores such information and sends it to the web server whenever there is a request. Cookies data are sent along with the HTTP headers. You can look at this URL to know more about how they work. http://www.cookiecentral.com/faq/ Difference between session and cookie? The key difference would be cookies are stored in your hard disk whereas a session aren't stored in your hard disk. Sessions are basically like tokens, which are generated at authentication. A session is available as long as the browser is opened. Sessions are popularly used, as the there is a chance of your cookies getting blocked if the user browser security setting is set high. Note: When you issue a session_start() it generates a session ID and places that on the client side in a cookie. There are also some ways to avoid this using the tag rewrite. How secure is storing password using cookies? Generally we store the cookies with the username followed by the password. Now we can use any algorithm to encrypt the password before we store then to make it secured. Now we will have the user name and encrypted password stored in the cookie, which again can be played around. A good practice would be to avoid the storing of user name and using a unique ID generated. This is a overhead which we have to compromise to make thinks more secure. PHP Cookie Function As told earlier cookie is sent along with the HTTP headers and to do this we have the set_cookie() function. boolean setcookie ( string name [, string value [, int expire [, string path [, string domain [, int secure]]]]] ) All the arguments except the name argument are optional. If only the name argument is present, the cookie by that name will be deleted from the remote client. You may also replace any argument with an empty string ("") in order to skip that argument. The expire and secure arguments are integers and cannot be skipped with an empty string. Use a zero (0) instead. The expire argument is a regular Unix timestamp integer as returned by the time() or mktime() functions. The secure indicates that the cookie should only be transmitted over a secure HTTPS connection.