[Web-SIG] Session interface

mike bayer mike_mp at zzzcomputing.com
Tue Aug 16 23:06:57 CEST 2005

Phillip J. Eby said:

> I agree; and in fact until I saw Ian's status-message example, I've never
> had need to store anything in a cookie except login credentials or an
> identifier used to find application objects like a shopping cart.
> IOW, cookies are fundamentally for short strings.  However, if your
> session
> data consists solely of short strings, or short-lived medium-size strings
> (like a status message) then it works out nicely.

theres also security considerations regarding using only cookies without
server side sessions.  For login tokens, if theres no corresponding
server-side token to match up that it is in fact a current login and not
something left over from a long-closed session, then some kind of clever
encryption combined with time information must be used on the client-side
token that can guarantee the login is recent and valid.

I always use server-side sessions for logins for this reason.  I also
think server-side sessions are an easy place to store user preferences and
permissioning information originally loaded from the database, as a quick
and easy way to cut down on repeated database calls per request, which is
not as cleanly represented as an extra few thousand characters sent back
and forth with every request.

all that said, my current employer uses cookie-only sessions for
scalability reasons.  might this be-all-end-all session API also have a
"client-only" implementation available ?

- mike

More information about the Web-SIG mailing list