[erlang-questions] Handling user sessions in Misultin or any http server?
Sat Jun 4 22:47:05 CEST 2011
Jacob Vorreuter from Heroku has a straightforward implementation of an
Erlang Redis client. See http://github.com/JacobVorreuter/redo for
further details. And this http://github.com/JacobVorreuter/redis_pool
is another one.
I would go for storing session IDs in cookies and keep all session
data in Redis with an appropriate expiration time.
On Jun 4, 10:07 pm, Wilson MacGyver <> wrote:
> For the type of system I work on
> " a 1000-byte cookie adds 16ms to the response time of a single request made over a broadband DSL connection"
> That alone could be a deal breaker.
> Your assertion of 99% time people only put userid in
> cookie store hasn't been my experience.
> And serverside session need not be in db. Memcached
> and redis are common solutions in high traffic site.
> Redis even supports autoexpire.
> It may just be we have very different usage case. But I think
> claiming cookiestore is the solution 100% of the time is a
> over statement.
> On Jun 4, 2011, at 2:39 PM, Max Lapshin <> wrote:
> > On Sat, Jun 4, 2011 at 10:15 PM, Wilson MacGyver <> wrote:
> >> storing sessions on server has been a very common practice, esp due to cookie
> >> has a limit of 4K on the browser side. Not to mention most cookie
> >> store I've seen,
> >> store data in plain text. There is also the overhead of cookie read
> >> from browser esp if you
> >> are working on high traffic site. thus, the session hash id set it
> >> cookies that points to server
> >> data is the common practice.
> >> but regardless of where is stored, the question is really about are
> >> there any modules
> >> that exists for handling user sessions.
> > I haven't found anything serious in that text. Just "don't do it".
> > 1) In 99% times you need to store only user_id in session. Nothing
> > more. There is no secret in this information
> > 2) It is absoulutely ok to send data plaintext in cookies.
> > 3) Cookies are signed, so server just verify if cookie is not broken.
> > 4) It doesn't differ: either client send you some magic "user_id" or
> > "session_id". Difference is only in storing these sessions.
> > User records doesn't expire, but sessions expire and you _have_ to track them.
> > Worsest problem in server session storage is that you need to expire
> > them and delete.
> > Second problem is that you need to share them across servers.
> > Server session store doesn't differ from database and still User
> > record _must_ be fetched on each request or you will be required to
> > maintain coherence between database and session storage.
> > So, server storage:
> > 1) has no benefits
> > 2) is a very complicated mechanism
> > 3) add one more database select (because session storage is a
> > database) on each request.
> > 4) make scaling harder
> > Without any profits. What for do you advise it?
> erlang-questions mailing list
More information about the erlang-questions