cookie and session

Session is used to save the message for the hole period of user dialogue in web service.Such as the message of user login.

In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and then torn down at some later point. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.

--------------  From Wikipedia

    public String login(String username, String captchaId,
            String captcha, Long storeId, HttpSession session,HttpServletRequest request)
    {
        String enPassword = rsaService.decryptParameter("enPassword", request);
        rsaService.removePrivateKey(request);

        if (!captchaService.isValid(CaptchaType.storeUserLogin, captchaId,
                captcha))
        {
            return AjaxMsg.failed("验证码错误");
        }

        if (Utils.isEmpty(username) || Utils.isEmpty(enPassword))
        {
            return AjaxMsg.failed("用户名或密码不能为空");
        }

        if(!Utils.isPositiveLong(storeId))
        {
            return AjaxMsg.failed("storeId不能为空");
        }

        List<Filter> filters = new ArrayList<Filter>();
        Filter filter = new Filter("username", Filter.Operator.eq, username);
        filters.add(filter);

        List<StoreUser> storeUsers = storeUserService.findList(null, filters,
                null);

        if (Utils.isEmpty(storeUsers))
        {
            return AjaxMsg.failed("用户不存在");
        }

        StoreUser storeUser = storeUsers.get(0);

        if(!storeId.equals(storeUser.getStoreShop().getId()))
        {
            return AjaxMsg.failed("用户不存在");
        }

        if (!storeUser.getEnabled())
        {
            return AjaxMsg.failed("该用户未启用");
        }

        if (!DigestUtils.md5Hex(enPassword).equals(storeUser.getPassword()))
        {
            return AjaxMsg.failed("用户名和密码不匹配");
        }

        session.setAttribute(StoreUser.PRINCIPAL_ATTRIBUTE_NAME, new Principal(storeUser.getId(), storeUser.getUsername()));

        return AjaxMsg.success(storeUser.getIsManager()+"");
    }

Differences between cookie and session:

Cookie can only save the value of ASCII string.But session can even save the value of java bean.We can take session as a java container.

Cookie is saved in web browser.So it's not safe.Session is saved in server.

We can set cookie's "period of validity" as long as we want.But can't this so for session.

Session is a burden of server.