Leslie Mikesell wrote:
>
> According to Jeffrey W. Baker:
>
> > > I keep meaning to write this up as an Apache:: module, but it's pretty trivial
> > > to cons up an application-specific version. The only thing this doesn't
> > > provide is a way to deal with large data structures. But generally if the
> > > application is big enough to need such data structures you have a real
> > > database from which you can reconstruct the data on each request, just store
> > > the state information in the cookie.
> >
> > Your post does a significant amount of hand waving regarding people's
> > requirements for their websites. I try to keep an open mind when giving
> > advice and realize that people all have different needs. That's why I
> > prefixed my advice with "On my sites..."
>
> Can anyone quantify this a bit?
On my site, I *need* to use server-side session objects. I am storing data
that the user should not be allowed to modify. The session data is used
directly by the server to determine what data to send to users in different
cases. If it were passed in the cookie, a malicious user could take
advantage of this and change the state of their session at will.
-Adi
