Changes between Version 2 and Version 3 of SessionState

Timestamp:

Nov 6, 2009, 12:22:16 PM (14 years ago)

Author:

cmlenz

Comment:

Some background

SessionState

@@ -1 +1 @@
 = Session State =
 
-The `diva.session` module implements management of session state, based entirely on client-side storage via HTTP cookies.
+The `diva.session` module implements management of session state, based entirely on client-side storage via HTTP cookies. The cookie used to store the session data contains the session data encoded as JSON, and is authenticated using [http://tools.ietf.org/html/rfc2104.html HMAC-SHA1-128] based on a secret key known to the server. This means that the user cannot tamper with the cookie value to modify session state directly, bypassing the server-side application logic that is responsible for managing the session.
 
-== Design ==
+== Background ==
 
+Cookie-based session storage is much more efficient than storing the data on the server-side (the way many web applications handle session state), as long as the amount of session state is kept small. Instead of requiring a database fetch every time the session is accessed (which is on '''every request''' for most dynamic web applications), there's only the very small cost of decoding and authenticating the session cookie header.
 
+But trying to store large amounts of data in the session will result in a very large session cookie being transmitted back and forth for every HTTP request (also, there's a ~4KB limit to cookie size). Applications that need to track large amounts of state are often better off storing that state in a database explicitly. Such applications can still use the generic session storage to associate the stored state with incoming requests, if necessary.
 
 == Usage ==