On 02.10.2011 22:34, Eric Pickup wrote: > I'm currently rewriting Youporn.com (obviously not safe for work) in > Symfony2. This is a very high traffic site. On really high traffic > sites sessions are not practical. They make pages uncacheable and add > a lot of overhead to page generation. We have a strict rule, no > sessions.
They don't quite make pages uncacheable. I mean, if your content depends on what's in the session, sure. But for high traffic pages you could have the user send session cookie without really using it and without loading it from the storage if you disable the session auto_start. > However some Symfony tools need them even when they aren't strictly > needed. For example the translation code uses sessions to store the > user's locale. Parsing the headers can't be slower than a network hit > for memcached. True, but that's quite a specific use case IMO. If you want to avoid sessions at all costs you could write your own session implementation that just doesn't store anything, and always reads the locale from the headers. > The forms coding also uses them by default to prevent mischief which > is smart but but simple encrypted cookie would work just as well. We > still couldn't cache the page but it would avoid a hit on memcached, > redis, or whatever backend we are using. Thing is for CSRF protection, sending one cookie for the session instead of one for the session + one for the CSRF protection is beneficial to most people. Of course it can be disabled (by deleting the framework.csrf_protection key in your config.yml afaik), but then you have to roll your own solution. Depending on the amount of forms on your site, this might make sense. Or as said above you could use sessions without auto_start and just make sure you don't have forms on cached/heavily loaded pages. I agree that making it use a cookie or some other method optionally could be interesting though. Cheers -- Jordi Boggiano @seldaek - http://nelm.io/jordi -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
