close
Warning:
Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.
- Timestamp:
-
Nov 6, 2009, 12:22:16 PM (15 years ago)
- Author:
-
cmlenz
- Comment:
-
Some background
Legend:
- Unmodified
- Added
- Removed
- Modified
-
v2
|
v3
|
|
1 | 1 | = Session State = |
2 | 2 | |
3 | | The `diva.session` module implements management of session state, based entirely on client-side storage via HTTP cookies. |
| 3 | The `diva.session` module implements management of session state, based entirely on client-side storage via HTTP cookies. The cookie used to store the session data contains the session data encoded as JSON, and is authenticated using [http://tools.ietf.org/html/rfc2104.html HMAC-SHA1-128] based on a secret key known to the server. This means that the user cannot tamper with the cookie value to modify session state directly, bypassing the server-side application logic that is responsible for managing the session. |
4 | 4 | |
5 | | == Design == |
| 5 | == Background == |
6 | 6 | |
| 7 | Cookie-based session storage is much more efficient than storing the data on the server-side (the way many web applications handle session state), as long as the amount of session state is kept small. Instead of requiring a database fetch every time the session is accessed (which is on '''every request''' for most dynamic web applications), there's only the very small cost of decoding and authenticating the session cookie header. |
7 | 8 | |
| 9 | But trying to store large amounts of data in the session will result in a very large session cookie being transmitted back and forth for every HTTP request (also, there's a ~4KB limit to cookie size). Applications that need to track large amounts of state are often better off storing that state in a database explicitly. Such applications can still use the generic session storage to associate the stored state with incoming requests, if necessary. |
8 | 10 | |
9 | 11 | == Usage == |