Menu
Using in-process session state is evil when it comes to scaling web applications (does not play well with clusters, bombs out when server recycles).
Assuming you just need to keep a small amount of information in the session state, what is the downside of using encrypted cookie items for this purpose rather than specific state servers/db’s?
Obviously using cookies will create a small amount of network overhead, and clearly you operate under the assumption that cookies are enabled on the client browser/mobile device.
What other pitfalls can you see with approach?
Is this a good option for simple, scalable and robust sessions?
881
The main drawback is the privacy for most users , The cookie enabled web browsers keep track of all the websites you have visited , The third parties can access the information stored by these cookies , These third parties can be advertisers , The other users or the government in some cases .
Some limitations of cookies include the fact that many browsers limit the amount of data sent through cookies (only 4,096 bytes are guaranteed) and that clients can potentially disable all cookie support in their browser.
Most cookies are able to store information only up to 4kb. Browsers too pose restrictions when it comes to number of cookies. Except internet explorer, all other browsers only allow up to 20 cookies for a single website. Apart from security, privacy is another concern for users in cookies.
Sessions are more secured compared to cookies, as they save data in encrypted form. Cookies are not secure, as data is stored in a text file, and if any unauthorized user gets access to our system, he can temper the data.
This is an excellent approach for simple, scalable, and robust sessions. Of course the quality of your crypto is important, and that is often something that often proves tricky to get right, but it's possible to do.
I disagree with some of the other posters:
Any replay attack that can be launched against an encrypted cookie value can be launched against a session key stored as a cookie. Use https if this matters.
Session data stored in a state server or database is also lost if the cookie is cleared; when the session key is lost the session can no longer be retrieved.
200
Another pitfall is that they can be stolen and replayed on your site.
BTW: Instead of storing some stuff in the cookie, you should also look at storing a key in the cookie and using something like memcached (memcached works across server farms).
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
