[Web-SIG] Session interface

Jonathan Ellis jonathan at carnageblender.com
Tue Aug 16 22:48:50 CEST 2005


On Tue, 16 Aug 2005 16:37:31 -0400, "Phillip J. Eby"
<pje at telecommunity.com> said:
> At 01:14 PM 8/16/2005 -0700, Jonathan Ellis wrote:
> >But there's a reason they're in such common use; it's a huge waste
> >(particular for low-bandwidth clients) to store anything more than
> >absolutely necessary in a cookie that the client sends repeatedly.  Much
> >more efficient to send "here's my token" which the server uses to
> >retrieve the rest.
> 
> I agree; and in fact until I saw Ian's status-message example, I've never 
> had need to store anything in a cookie except login credentials or an 
> identifier used to find application objects like a shopping cart.
> 
> IOW, cookies are fundamentally for short strings.  However, if your
> session 
> data consists solely of short strings, or short-lived medium-size strings 
> (like a status message) then it works out nicely.

Sure, but given the choice between N short strings and one, one is
better. :)

> If you have session data other than short strings, then you should store
> it 
> with your application data, since it's clearly data that's part of your 
> application.

Still, it can be good to have a simple place to store non-permanent
information.

Is the potential for abuse worth it?  Perhaps not.  I also can't think
of a time when I needed sessions in the past 5 or so years.

-Jonathan


More information about the Web-SIG mailing list