[nycphp-talk] Cookies as session database [was php scalability]

George Webb gw.nyphp at
Mon Aug 18 18:00:04 EDT 2003

--- On Mon, 18 Aug 2003 11:56:01am Chris Shiflett wrote:
> I would just like to reiterate the points Dan made, specifically:
> 1. This approach is less secure.
> 2. This approach is less efficient.

Thanks for these important observations.  Please allow me to
address them both:

	Security:  assuming that SSL is *not* in use, the cookie
data can be seen by third parties, as we all know.  But some data
does not need to be secure, like shopping cart contents.  Am I
mistaken in believing that the item(s) in a customers shopping
cart must be secured?  At least in the early stages of a shopping
experience, the only exposed data would be the URL's requested,
user's IP address, and the shopping cart contents.

	Later when a user enters their personal information
such as addresses, security seems to become more important.  And
when they enter their billing information (ie. credit card #)
obviously the connection *must* be secure.

	So my question is, for a shopping cart application, what
user data items really need to be secure?

	Efficiency:  as Chris knows since he wrote the book on
HTTP, the HTTP cookie specifications (both Netscape's as well as
the "version 2") allow for such cookie data to be transported among
only a subset of viewed pages on a web site.  Therefore, in this
same shopping cart example, the application can efficiently direct
the HTTP client (web browser) to send the cookie data to only the
URLs that will need to see it.  For example, the application could
set the "cart contents" cookie to have a "path" value of "/cart/"
and the "personal info" cookie to have a path value of "/cart/secure/"
and a secure flag of 1.  Such a setup seems like it would satisfy
both issues, don't you think?

	Another efficiency issue relates to the size of the HTTP
cookies.  To this end we could specially format and even compress
or pack the user data into a smaller byte-representation.  For example,
an uncompressed "cart contents" cookie with three line items might look
like this:


The server can then do product lookup queries on each of these
three items to build a more readable or detailed list:

	Qty  SKU         Price    Description
	1    PJ00111     49.95    Sweet Dreams Kimono
	                           Size: Small, Color: Blue
	1    PJ00103     75.95    Rose Garden Gown
	                           Size: Small, Color: Orange
	8    ACC00101    12.95    Pink Fleece Sleep Socks
	                            Size: 5/8

(Yes, this is for a pajama-selling site (

	I would really like to make HTTP cookies do the work
that we normally impose on central databases, because then we
can scale a server cluster linearly, simply by adding more
hardware.  Thanks again for your comments.

Best, George.

George Webb
gw.nyphp at

More information about the talk mailing list