On Mar 15, 5:57 pm, Adam Lee <[email protected]> wrote: > On Sun, Mar 14, 2010 at 2:59 PM, Les Mikesell <[email protected]> wrote: > > Adam Lee wrote: > > >> well, it depends on what you mean by scalability... i'm personally of > >> the opinion that traditional sessions should be avoided if you want to > >> truly scale. > > > And yet, everyone wants dynamic pages custom-generated to the user's > > preferences. So how do you reconcile that? You can help things a bit by > > splitting pages into iframe/image components that do/don't need sessions, > > and you can make the client do more of the work by sending back values in > > cookies instead of just the session key, but I'm not sure how far you can > > go. > > Well, I guess it depends on your definition of "session." Obviously, you > need to account for user preferences and such, but I don't consider those > "session" data since they are consistent across any session that the user > instantiates. > > Probably the easiest way to build a "stateless"/shared-nothing web > application, and what we've done to scale, is to store user authentication > data and the like in an encrypted cookie. Any other session-like data (geo > location from IP lookup, language preference, etc) can be set in separate > cookies. Since cookies are sent with every request, it is possible to > easily authenticate that the user is who they say they are and discern the > necessary data to build their page using only these cookies and you don't > need to look anything up in any sort of centralized session cache. > > Data that is needed to authenticate a request or to display a message on a > subsequent page view (things that would be stored in the Flash in Rails, > from how I understand that to work) can be encoded into a cryptographically > secure "token" that is passed to the following request.
Yes, I like the implementation outlined in the "A secure cookie protocol" paper, http://scholar.google.co.uk/scholar?cluster=1658505294292503872&hl=en&as_sdt=2000 And using technologies like ESI (http://en.wikipedia.org/wiki/ Edge_Side_Includes ) where you can have HTML fragments which return vary heads on the cookies, can move the session problem from the application server to a HTTP accelerator (Varnish/Squid3/.. ) in front of it. Jared To unsubscribe from this group, send email to memcached+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
