Is it worth to save the session state information in httpcontext or request cookie in load balancing environment?

Question

In load balancing server environment is it possible to maintain the session state in httpcontext or request cookie.

Does it cause any performance issue or security issue?

Answer 1

Assuming your cookie is encrypted it shouldn't be a security issue, but if you have a lot of session it will cause a lot of extra traffic. I think you need to be more clear about what part of httpcontext you would store the session state in.

Answer 2

Context is usually request driven (so doesn't persist).

You can save things to cookie but they're insecure unless you go about signing your cookies. But this (naturally) has a performance hit.

The most logical method is to move your session store to a shared platform. I don't know what you're using but later versions of IIS have methods for sharing the session and if you're using something like Django, you can host the session on something like Memcached.

Most platforms also have the option of storing the session in the database. This is okay if your DB is fast and well balanced.

A distributed, dedicated session server is by far the best solution if all your machines are in the same datacentre though.