Phillip J. Eby said: > I agree; and in fact until I saw Ian's status-message example, I've never > had need to store anything in a cookie except login credentials or an > identifier used to find application objects like a shopping cart. > > IOW, cookies are fundamentally for short strings. However, if your > session > data consists solely of short strings, or short-lived medium-size strings > (like a status message) then it works out nicely. >
theres also security considerations regarding using only cookies without server side sessions. For login tokens, if theres no corresponding server-side token to match up that it is in fact a current login and not something left over from a long-closed session, then some kind of clever encryption combined with time information must be used on the client-side token that can guarantee the login is recent and valid. I always use server-side sessions for logins for this reason. I also think server-side sessions are an easy place to store user preferences and permissioning information originally loaded from the database, as a quick and easy way to cut down on repeated database calls per request, which is not as cleanly represented as an extra few thousand characters sent back and forth with every request. all that said, my current employer uses cookie-only sessions for scalability reasons. might this be-all-end-all session API also have a "client-only" implementation available ? - mike _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
