I assume you know what cookies and session variables are, but you want to know which one is best to use.
To better understand if you need cookies or sessions, here’s a comparison.
Let’s say you have a website, where the user has to log in order to access some information.
Login page is login.php, and the user wants to visit also the pages info1.php and info2.php.
Both info1.php and info2.php verifies if the user has the right to access them, that is, if the user is logged in.
Case 1 : No cookies, no sessions
The user access login.php and logs in.
Then he tries to access info1.php. Because the HTTP protocol does not remember what the user did on page login.php, it asks the user to login again. That is, it redirects him to login.php. Let’s pus aside for a moment the user’s confusion, when he sees again the login page. The problem is that the user will never be able to access the information from info1.php and info2.php.
Case 2 : Sessions
The user access login.php and logs in. Then he tries to access info1.php. The system will append automatically something like SESSION_ID=yuqe3syqxrq to any page and info1.php will figure out, from that SESSION_ID that the user is logged in. Therefore, will allow him to access the information from info1.php
The problem occurs after the user closes his browser. In that moment, the SESSION_ID is permanently lost. If the user opens again a browser, he’ll have to login again.
Case 3 : Cookies
The user access login.php and logs in. In that moment, login.php will save a cookie on the user’s computer. Then the user tries to access info1.php. The system will read the cookie, and grant the user access to info1.php.
After the user closes his browser, the cookie is still there. So, by using cookies, the user will not have to login again each time.
What if the user refuses to allow cookies to be saved on his computer? Some websites, like GMail.com, will not allow him to do anything else until he activates the cookies. Others, will try to use sessions. It depends on the person who designed that site.
So, what’s best? Cookies or sessions? It’s up to you. I would use only cookies, and tell the user that he needs cookies for accessing restricted areas of the site. If the user doesn’t trust you, to give access to cookies, chances are high that will not trust you to pay for that restricted information.