I'm trying to figure out the difference between usage of Sessions and Cookies in a particular use case. I'm building java difference service with server side items storage. I see generally everybody says that sessions are a better option. Just to store a session in redis and use session id to pull the data from the database.
But if i use Cookie for example and store the cart id in the cookie and every request will just check the cookie for a cart id. Won't it be the same? Can someone explain the difference in this situation and security risks?
In my case user is not authenticated.
It won't make that severe security risk(only for trivial data like such shopping cart). Even safer if you set Secure and HttpOnly options on cookie.
But if you already have some data store(like Redis) to manage the session state, there's completely no need to use cookie as data storage. Cause you've already chosen to store the session-related data in that store. and cookie not showing any information but the session key to distinguish the certain client.
If you don't have and won't bring such storage into your service, yeah, cookies and local/session storage(in browser) are the only choices.