close Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Changes between Version 2 and Version 3 of SessionState


Ignore:
Timestamp:
Nov 6, 2009, 12:22:16 PM (12 years ago)
Author:
cmlenz
Comment:

Some background

Legend:

Unmodified
Added
Removed
Modified
  • SessionState

    v2 v3  
    11= Session State =
    22
    3 The `diva.session` module implements management of session state, based entirely on client-side storage via HTTP cookies.
     3The `diva.session` module implements management of session state, based entirely on client-side storage via HTTP cookies. The cookie used to store the session data contains the session data encoded as JSON, and is authenticated using [http://tools.ietf.org/html/rfc2104.html HMAC-SHA1-128] based on a secret key known to the server. This means that the user cannot tamper with the cookie value to modify session state directly, bypassing the server-side application logic that is responsible for managing the session.
    44
    5 == Design ==
     5== Background ==
    66
     7Cookie-based session storage is much more efficient than storing the data on the server-side (the way many web applications handle session state), as long as the amount of session state is kept small. Instead of requiring a database fetch every time the session is accessed (which is on '''every request''' for most dynamic web applications), there's only the very small cost of decoding and authenticating the session cookie header.
    78
     9But trying to store large amounts of data in the session will result in a very large session cookie being transmitted back and forth for every HTTP request (also, there's a ~4KB limit to cookie size). Applications that need to track large amounts of state are often better off storing that state in a database explicitly. Such applications can still use the generic session storage to associate the stored state with incoming requests, if necessary.
    810
    911== Usage ==