Sessions in web applications provide a way to persist data between requests.
When you start a new PHP session with
session_start(), by default, there is a
file created on the server somewhere in system temporary folder (/tmp on Linux,
for example or the location set in the php.ini file under the
INI directive). File name can be of format
its contents contain your
And there is also a special single cookie created in user browser with name
PHPSESSID and value of something like
That cookie connects the user browser with that file where
is stored. Quite a simple storing mechanism.
Now, these traditional sessions are slow and performance bottlenecks soon so other ways of storage are used, or also if you want to make them more secure, they can be encrypted (that file contents) and so on.
Whatever you do, try not to store anything sensitive in cookies. You actually won't need to create and use custom created cookies at all in most cases. Only for example, when you want to display that EU cookie warnings and to remember is user clicked "ok, don't display this next time". And similar cases.
For login, sessions are the way to go.
session_destroy() removes that file on the server but the PHPSESSID cookie
remains on the user browser. Which is not problematic because the new tmp file on
the server will be created next time you call
session_start() with new content
of your defined $_SESSION array contents...