> As I understand it, the session data is "state" which is committed to > the database on each request (possibly). It would seem to me that > instead of denormalizing the state into a separate session table, you > should just store it in a normal table.
The typical breakdown I use for this is to put simple state information that connects this browser to long-term data in the session, and everything else in normal database tables. So, I put the user's ID (if this session belongs to an identified user), a flag telling whether or not this user has given a secure login so far in this session, and not much else in the session. Actually, even this stuff could be put into a normalized "sessions" table rather than serialized to a blob with Storable. It just means more work if you ever change what's stored in the session. - Perrin