[nycphp-talk] Cookies as session database [was php scalability]

Chris Shiflett shiflett at
Mon Aug 18 11:56:01 EDT 2003

--- George Webb <gw.nyphp at> wrote:
> As an offshoot of this topic, what does anyone think of using
> HTTP cookies as the session database?

My apologies if my response is extremely late; I m just now able to catch up on

I would just like to reiterate the points Dan made, specifically:

1. This approach is less secure.
2. This approach is less efficient.

To explain the first point, consider that you are suggesting storing client
data in cookies. This means that the risk of exposure is insanely high; this
data is being sent across the public Internet for every single transaction.

As for performance, you are adding a significant amount of overheard for every
single transaction. The same characteristic that makes this approach less
secure makes it less efficient. Rather than the client simply having to
identify itself, it is now sending you all session data in every request. In
addtion to this, you are sending back all session data you want to modify.

At any rate, I hope we've talked you out of this approach. :-)


Become a better Web developer with the HTTP Developer's Handbook

More information about the talk mailing list