Django - Difference between Database backed sessions and Cookie Based Session?
A Session is used by websites to store application state for visitors across multiple page loads.
Cookie Sessions
- Store their data on the client/user end
- Work smoothly when you have a cluster of web servers
- Browsers typically limit cookies to a maximum size of around 4 kilobytes per domain, so limited session data size
- Cookies can be set to a long lifespan, which means that data stored in a session cookie could be stored for months if not years (Users can clear cookies though)
- Must be set with HttpOnly and Secure flags, otherwise can be easily stolen via XSS
Database Sessions
- Store their data server side
- One of your web servers handles the first request, other web servers in your cluster will not have the stored information unless centrally storing user session data
- Clients do not have access to the information you store about them and therefore better for sensitive data.
- Data doesn't have to travel from client to server on each request (clients just need to send an ID so the server can load the data)
- Can store more data, since stored on server instead of in a cookie
Cookie Sessions vs Database Sessions
| Feature | Cookie Sessions | Database Sessions ||-------------------------------|-----------------|-------------------|| Works without database | Yes | No || Can store sensitive user data | No* | Yes |
* Can store pointers referencing sensitive user data on the server, just not the sensitive data itself.
Both Cookie Sessions and Database Sessions work the same way, the only difference is where the data is stored.Django defaults to Database Sessions while Flask defaults to Cookie Sessions.
More information:
https://en.wikipedia.org/wiki/Session_(computer_science)
http://php.about.com/od/learnphp/qt/session_cookie.htm
http://wonko.com/post/why-you-probably-shouldnt-use-cookies-to-store-session-data
http://www.tuxradar.com/practicalphp/10/1/0