Handling sessions for scalability

Question

I'm currently making a site that is very database oriented somewhat like Stack Overflow. My question is how to handle sessions that will travel across several servers(I plan on using AWS servers for auto scaling).

Currently I am under the belief that I should not use Forms Authentication for scalability and speed purposes. Instead I would have a table in the database called sessions that stores the following information: SessionID, UserID, ExpDate, CreateDate, IP, Status('LogedIn', 'LogedOut', 'Expired').

My biggest concern would be security from the stand point of cookies and not having the experience to see a bottle neck scenario when I have a lot of server running.

Please provide me with your insight. I'd also like to know how others and Stack Overflow are handling this dilemma.

FYI: For the same reasons I'm using PetaPoco instead of Entity Framework as I was able to shave off around 600ms by doing so.

Thank you for your help!

Answer 1

I am not aware of any scalability issues with using Forms Authentication. Essentially, it encrypts an authorization token into a cookie and the cookie is presented to the server on each request. Using cookies instead of in-process session does allow for scalability as it is not tied to any one specific server.

The encryption uses a machineKey value that is stored on the server so breaking the encryption would require getting a hold of the machineKey.

In general, I try not to implement my own authorization and instead try to stick with out-of-the-box solutions that have been tested.

Your approach of using a session store still requires the use of a cookie to store some kind of pointer to the session store. Depending on your implementation, it might be easy to guess this information and easily impersonate someone else.

EDIT:

Since you are running on AWS, I would suggest you take advantage of ElastiCache to reduce the number of DB hits.