> How much overhead does session replication actually cause vs. > fetching > everything from the database on every request?
session replication across a cluster can be very expensive because session modifications are O(n) where n is the number of nodes. it's ok if your sessions are light, but it could become a network jam with heavy sessions and many nodes. > But how do you delete the session data persisted in the > database when that > session is over? if the data you're storing in the session is truly transient, then don't bother to save it to the db. maybe you can even reconstruct this transient info in the case of the session failing over to a new node. > --"It also avoids the back button problem." > > Hmm, I'm probably missing something trivial, but can you > explain a bit > storing session data in the db avoid the back button problem? i was talking about all the info for a request being either POSTed or in query string vars. > --"even more, it allows you to reorganize the order of your > pages with > minimal effort." > > Again, could you explain this out a bit? I'm not seeing it quite yet. see above > My concern is that > since URL encoding > exposes the session ID in plain view, it's as good as > compromised despite > using SSL to encrypt it once the customer logs in. > > Was that why you were saying to only use session cookies > everywhere? yes > Other questions: > --Is it really insecure to store sensitive info (like a > credit card # filled > in during the checkout process) in the session? I can't see > how it is any > less secure to store the session in memory vs in the backend > db when the > weakest link in that data's protection is the session ID. if you're not going to keep it permanantly, don't bother with the db > --Btw, are there any data indicating how many people surf the > web with > session cookies off? I'm only concerned with session cookies > (which are > only stored in RAM), and not "normal" cookies (which are > stored on the hard > drive). i'd like to see that data too, but i'm sure it's a very small number. also, anyone who knows how to turn their cookies off knows how to turn them back on again. even people who set IE6 to a more restrictive privacy setting generally still have session cookies enabled. we get few customer problems that are related to cookie use. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
