Tina Mueller <apa...@s05.tinita.de> writes: > On Wed, 16 Sep 2009, Michael Peters wrote: > [...] >> If you need to store per-session data about a client that the client >> shouldn't be able to see, then you just encrypt that data, base-64 >> encode it and then put it into a cookie. > > How does the user invalidate that "session"? (in case the cookie leaked > or something like that). Or how can the website owner log out a certain > user?
Right, that is the trade-off for improved performance and scalability. Different trade-offs will make sense for different sites. For most sites, the performance and scalability won't matter too much, but for some it will. Simple things like timestamping the cookie and expiring it after awhile can help some, but they will not get you the flexibility of keeping everything in a database. -----Scott.
