[fChk]

Do you actually know JavaScript?.. @debjit

> Yes and No. I have finished the course 6 months ago but never used that extensively. Now I am learning React, so yes I know some javaScript. I am just not that confident with it.

I understand.. But if I were in your shoes, I would refrain from learning anything else till I master JavaScript (JS) first.. Without JS no modern WebDev is possible.. The shortcut of using ready-to-use frameworks is futile!..

JavaScript mastery has to be at 2 levels:
> the core language itself, meaning the syntax, the semantics and the assumptions etc..
> its use as the front-end scripting language which entails understanding the browser's APIs and DOM (Document Object Model) and their scripting with JS.

Why PHP sessions are more secure?..

> Here is how laravel makes the cookie more secure,
https://blog.laravel.com/laravel-cookie-...y-releases

Okay!.. Although they are 5 years late in using HMAc hash as of Jul, 27 2020..

Today's fix prefixes cookie values with an HMAC hash of the cookie's name before encryption and then verifies a matching hash on decryption, making it impossible to craft a valid cookie payload even if an encryption oracle is exposed via the application.

Besides, I hope you're aware that PHP sessions use a particular form of cookies too.. Do you know the difference between Cookies and Session cookies?

> Season data stays on the server there is no way normal users get their hands on it.

Indeed!.. Session data are generally stored in the session's table and the Session_ID stored in the session_cookie is what links that data to the user.. Every time the user requests something, the PHP script starts by fetching the user's session_ID from the session cookie then fetches the user's data by looking it up in the session table.

But my question was about the cookie itself!.. What differs it from the other?.. It's the expiry time: session cookies are temporary by definition and are lost when the browser exits, if -of course- they are still valid.

-Worth mentioning-
What this means is that people who don't explicitly logout will continue to have valid session cookies and this is hazardous given the possibility of session cookies hijacking.. Hence why it's always a good idea to logout when we're done with any critical login session!

It's hard to say if you don't layout the whole business logic of the App from start to finish.

> There is no business logic in this app. It's an app that I am making for my own teachers to use. They will use it to create exam for there students, and evaluate there result. There is no business aspect.

There is a misunderstanding here. I asked about the business logic not the business plan. In short, it's the workflow/logic that you want your app to perform from start to finish. Once that is logic is laid out, it becomes easier to add refinements here and there based on that pre-defined workflow. At least that's how I do things.

Good Luck!..