tags:

views:

25

answers:

1
Q: 

Safely knowing you're logged in, without using sessions.

I heard in an old stackoverflow podcast that they minimized the use of sessions, and that they basically only needed it when posting. How can that be? Don't they need to use some form of sessions on every page view if nothing more than to tell that I'm logged in? How else do they show your username instead of the "Log In" prompt at the top of the screen?

When this type of thing becomes important is when you're persisting your sessions in a database. Now each time you touch your session store, you touch your database. So it would be great if you could avoid it.

You could store all your state in a cookie, but if you care at all about security, then you'll probably want to control state on your server instead.

+2  A: 

I don't know about the podcast you're referring to, but I'm not really sure they were saying what you thought they were saying...

Session data doesn't necessarily have to be written to DB everytime it's touched. You could easily have a cached (using memcached or something similar) intermediary. You could then write the session data to DB every X amount of requests/minutes/writes/whatever.

Sam Day  2010-09-21 00:28:47
From what I understand, memcached isn't completely reliable and shouldn't be used in a way that makes it differ from your master data. In other words, it should be just a cache, and no more. So you're right that this would be OK for reads. Writes should be written to both the cache and your persistent data store. In any case, that still requires you to maintain state for each page while logged in, right?
Mike M. Lin  2010-09-21 05:35:15
I'm marking this as the answer with the understanding that you obviously do need to maintain some kind of state for logged in users. I suppose it was wishful thinking that it could be avoided.
Mike M. Lin  2010-09-23 16:13:44

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication