perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Peters <>
Subject Re: Updating cookies in header during request processing
Date Fri, 18 Sep 2009 15:08:40 GMT
On 09/18/2009 10:33 AM, Randal L. Schwartz wrote:

> Ahh, phase 2 of cookie awareness.  When you get to phase 3, you realize that
> cookies should really just be used to distinguish one browser from another,
> and hold everything server-side instead for far better security and
> flexibility.

I disagree. Using cookies for session data has a lot of advantages:

+ No need to have a permanent data store (DBD::Deep is single server 
only and why waste the resources to go across the network to your DB or 
cache if you don't have to). Also no need to clean up this data store 
periodically. Having a single source for this data also kills scalability.

+ If it's commonly used data, putting it into a cookie will make it 
available to the client side Javascript. Why waste server resources to 
do what the client's machine can do. In fact, I find it's more flexible 
to have this information in the cookie since my front end folks can then 
use it to add functionality without having to trouble the back end folks.

And securing a cookie is pretty easy. If the information is not 
sensitive then you just need to put a hash in it to make sure it's not 
tampered with. If it is sensitive, then encryption works for cookies 
too. I'm not saying there aren't uses for large server side sessions, 
but I think they are pretty few.

Michael Peters
Plus Three, LP

View raw message