[erlang-questions] Handling user sessions in Misultin or any http server?

Wilson MacGyver <>
Sat Jun 4 22:52:30 CEST 2011

Perfect! Thank you very much.

On Jun 4, 2011, at 4:47 PM, Tobias <> wrote:

> Hi Wilson,
> Jacob Vorreuter from Heroku has a straightforward implementation of an
> Erlang Redis client. See http://github.com/JacobVorreuter/redo for
> further details. And this http://github.com/JacobVorreuter/redis_pool
> is another one.
> I would go for storing session IDs in cookies and keep all session
> data in Redis with an appropriate expiration time.
> Kind regards,
> Tobias
> On Jun 4, 10:07 pm, Wilson MacGyver <> wrote:
>> For the type of system I work on
>> " a 1000-byte cookie adds 16ms to the response time of a single request made over a broadband DSL connection"
>> That alone could be a deal breaker.
>> Your assertion of 99% time people only put userid in
>> cookie store hasn't been my experience.
>> And serverside session need not be in db. Memcached
>> and redis are common solutions in high traffic site.
>> Redis even supports autoexpire.
>> It may just be we have very different usage case. But I think
>> claiming cookiestore is the solution 100% of the time is a
>> over statement.
>> On Jun 4, 2011, at 2:39 PM, Max Lapshin <> wrote:
>>> On Sat, Jun 4, 2011 at 10:15 PM, Wilson MacGyver <> wrote:
>>>> storing sessions on server has been a very common practice, esp due to cookie
>>>> has a limit of 4K on the browser side. Not to mention most cookie
>>>> store I've seen,
>>>> store data in plain text. There is also the overhead of cookie read
>>>> from browser esp if you
>>>> are working on high traffic site. thus, the session hash id set it
>>>> cookies that points to server
>>>> data is the common practice.
>>>> http://wonko.com/post/why-you-probably-shouldnt-use-cookies-to-store-...
>>>> but regardless of where is stored, the question is really about are
>>>> there any modules
>>>> that exists for handling user sessions.
>>> I haven't found anything serious in that text. Just "don't do it".
>>> 1) In 99% times you need to store only user_id in session. Nothing
>>> more. There is no secret in this information
>>> 2) It is absoulutely ok to send data plaintext in cookies.
>>> 3) Cookies are signed, so server just verify if cookie is not broken.
>>> 4) It doesn't differ: either client send you some magic "user_id" or
>>> "session_id". Difference is only in storing these sessions.
>>> User records doesn't expire, but sessions expire and you _have_ to track them.
>>> Worsest problem in server session storage is that you need to expire
>>> them and delete.
>>> Second problem is that you need to share them across servers.
>>> Server session store doesn't differ from database and still User
>>> record _must_ be fetched on each request or you will be required to
>>> maintain coherence between database and session storage.
>>> So, server storage:
>>> 1) has no benefits
>>> 2) is a very complicated mechanism
>>> 3) add one more database select (because session storage is a
>>> database) on each request.
>>> 4) make scaling harder
>>> Without any profits. What for do you advise it?
>> _______________________________________________
>> erlang-questions mailing list
>> ://erlang.org/mailman/listinfo/erlang-questions
> _______________________________________________
> erlang-questions mailing list
> http://erlang.org/mailman/listinfo/erlang-questions

More information about the erlang-questions mailing list