@all: you should test it before all. Storing session in cookies is achieved with scalability in mind. It's quite a buzzword on these days, but things to consider are a lot. Really, a lot.
One thing is saying that sharing a single filesystem among 100 machines (scalability) is more intensive than storing sessions in cookies. We all agree on that. There are pound, Haproxy and nginx upstreams for speeding that out (i.e. sending requests coming from an ip to the same machine, thus eliminating the need for a shared filesystem). They are something else to set, and you'll likely need to eliminate the Single Point Of Failure clustering them. There are recipes for that but "the poor developer" prefer to manage things on his webframework of choice (web2py, yeah!). A very different other is saying having 100 processes scanning the local filesystem for sessions, in which case I can assure you it's pretty fast (managed to run only 80 of those on my rig :-P). You must also "take into consideration" the speed between sending in/out the standard cookie and the one containing data (larger). In "large scale deployment" this means you must consider the limit of your users bandwith. Waiting for data in (longer cookie) is wait time, just as it is waiting for seek on a filesystem. Which is faster? I'd not bet against filesystem. Storing sessions in memcache or redis is even probably faster (for high number of session files in the same folder), if the instance is local. If the instance is not on the local network, I'd say choice is session file with pound, haproxy and Co. Don't forget even the option of storing session on db (not sqlite), if local, some speed improvement over a high number of session files in filesystem is noticeable (but again, we are talking about scalability, so it's unlikely you'll have a local db). Bailing out large scale deployments, recent tests showed on a normal piece of hardware that until ~40K sessions files, storing them on redis (localhost) or filesystem doesn't affect response times. With higher number of session files, filesystem starts to show its limits because it takes more time just to scan the index of the folder (mitigated with separate=True). BTW, encrypting and decrypting (on the worst case scenario, 4KB of data) takes 4,7 seconds for 1 million iterations. I'd definitely use encryption no matter what if designing a large scale deployment, with no redis or memcache around. Summing up, I'd choose this path only if the large scale deployment involve more than one geographical location of servers. --
