On 09/18/2009 10:33 AM, Randal L. Schwartz wrote:
Ahh, phase 2 of cookie awareness. When you get to phase 3, you realize that
cookies should really just be used to distinguish one browser from another,
and hold everything server-side instead for far better security and
flexibility.
I disagree. Using cookies for session data has a lot of advantages:
+ No need to have a permanent data store (DBD::Deep is single server
only and why waste the resources to go across the network to your DB or
cache if you don't have to). Also no need to clean up this data store
periodically. Having a single source for this data also kills scalability.
+ If it's commonly used data, putting it into a cookie will make it
available to the client side Javascript. Why waste server resources to
do what the client's machine can do. In fact, I find it's more flexible
to have this information in the cookie since my front end folks can then
use it to add functionality without having to trouble the back end folks.
And securing a cookie is pretty easy. If the information is not
sensitive then you just need to put a hash in it to make sure it's not
tampered with. If it is sensitive, then encryption works for cookies
too. I'm not saying there aren't uses for large server side sessions,
but I think they are pretty few.
--
Michael Peters
Plus Three, LP
