I have a php web application that uses big cookies to store a lot of users data. If I set mod_gzip on the apache server, will it compress only the page content or will it compress the cookies also?
+11
A:
No, it compresses only the content. Cookies are sent in the headers, which are never compressed.
Filip Navara
2009-09-04 20:35:22
+6
A:
The compression will not happen for cookies with mod_gzip, but you can always compress the cookie data yourself if you know that it is going to be big. Compress the data when you create the cookie, and decompress it when you read the cookie. Be sure to verify a signature on the data before decompressing to help avoid DoS attacks against your code.
Greg Hewgill
2009-09-04 20:45:19
Besides that, it is never completely safe to store sensitive information in Cookies.
Havenard
2009-09-04 20:51:32
PHP already hase compression functions like `gzencode` (HTTP’s `deflate` file format), `gzcompress` (HTTP’s `gzip` file format) and `gzdeflate` (actual *DEFLATE* data format). So I doubt you will additionally need a signature to protect yourself agains Denial of Service attacks.
Gumbo
2009-09-04 21:06:51
Compressing a cookie would probably not save any bytes on the wire, and could even generate more traffic. Remember that cookies are URL-encoded, so every character that's not alphanumeric will take 3 times the space and nullify any saving made with compression. For instance, `urlencode(gzcompress("this is a text", 9))` will return a 54-chars string, 3.5 times the original "uncompressed" size.
Josh Davis
2009-09-05 02:59:01
@Josh Davis: good point, if compression is really effective on the cookie data it would be worthwhile to base64 encode the results to avoid url-encoding. But it really needs to be measured.
Greg Hewgill
2009-09-05 03:04:09
+4
A:
I think you're focusing on the wrong issue here.
At which point you feel that compressing the cookie(s) might be a good idea, you're clearly misusing the cookie system.
Store minimal data in the cookies, like a unique id to a login context or whatnot, don't store the entire user data in the cookies.
Basically what I'm getting at is, you should never feel the need to have the cookies compressed. If you do, you're doing something wrong.
And no, to answer your question, it won't compress the cookies. They're sent separately from the content.
Lasse V. Karlsen
2009-09-04 20:55:06
Very good point. The cookie should be the key/identifier for user data saved on your server.
bucabay
2009-09-05 02:57:09
+1
A:
Sometimes we need to store lots of data for (legal) tracing purposes like in the Ads market. Then we need to store cookies with lots of traceable info to improve our ad angines to prevent a user from, for example, seeing the same ads many times. We might not use it but then the time taken to access the db retrieving info that's already in the user side begins to grow when counting for millions hits/day, plus db connections, + server usage, etc..
For sure we store the minimum info (integers only) but anyway it could grow up easily after some time.
Julian
2009-11-19 16:51:38