Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django - Difference between Database backed sessions and Cookie Based Session?

Was going through Django Documentation and found this "https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-database-backed-sessions". What is the difference between database backed sessions and cookie based sessions? What is the advantage of one over the other? And what are the disadvantages?

like image 881
Akash K Avatar asked Aug 14 '13 18:08

Akash K


1 Answers

A Session is used by websites to store application state for visitors across multiple page loads.

Cookie Sessions

  • Store their data on the client/user end
  • Work smoothly when you have a cluster of web servers
  • Browsers typically limit cookies to a maximum size of around 4 kilobytes per domain, so limited session data size
  • Cookies can be set to a long lifespan, which means that data stored in a session cookie could be stored for months if not years (Users can clear cookies though)
  • Must be set with HttpOnly and Secure flags, otherwise can be easily stolen via XSS

Database Sessions

  • Store their data server side
  • One of your web servers handles the first request, other web servers in your cluster will not have the stored information unless centrally storing user session data
  • Clients do not have access to the information you store about them and therefore better for sensitive data.
  • Data doesn't have to travel from client to server on each request (clients just need to send an ID so the server can load the data)
  • Can store more data, since stored on server instead of in a cookie

Cookie Sessions vs Database Sessions

| Feature                       | Cookie Sessions | Database Sessions |
|-------------------------------|-----------------|-------------------|
| Works without database        | Yes             | No                |
| Can store sensitive user data | No*             | Yes               |

* Can store pointers referencing sensitive user data on the server, just not the sensitive data itself.

Both Cookie Sessions and Database Sessions work the same way, the only difference is where the data is stored. Django defaults to Database Sessions while Flask defaults to Cookie Sessions.


More information:
https://en.wikipedia.org/wiki/Session_(computer_science)
http://php.about.com/od/learnphp/qt/session_cookie.htm
http://wonko.com/post/why-you-probably-shouldnt-use-cookies-to-store-session-data
http://www.tuxradar.com/practicalphp/10/1/0

like image 101
Seren Avatar answered Oct 15 '22 10:10

Seren