Sessions & server's performance

OOP

Hi there,
Is it ture that if you use sessions to track & maintain your users in a big website affects the performance of the server. And if the answer is yes, then can we say the cookie can be the alternative? what if users did not accept cookies?

which is better? sessions or cookies?

thanks in advance for your usual help

regards,
OOP

etully

I think it's a negligable difference but the only way to know for sure is to write some sample code and put some load on it.

Sessions use a cookie, of course. So there's a few hundred bytes of bandwidth added there. And sessions store data on the hard drive (or in RAM) on the server side. If you are running low on RAM, then the session data would be written to swap which is the kiss of death for performance.

Staying entirely with cookies means passing all that data down to the user and then passing it all back up for every page view. If you had 20 variables of 30 bytes each and you add some overhead, I'm going to take a wild guess and say that you're adding roughly 1800 bytes to both the up and down data transfer. Frankly, 1800 bytes isn't much these days as some (idiotic) developers are making web pages with 200K footprints.

So basically you have the option of putting load on your RAM / HD or you can put the load on the bandwidth - and again, I'm going to guess that it's negligable but putting it to a real load test is the only way to know for sure.

MarkR

It really depends what you put into your sessions, how they're stored, etc.

By default, a session is just a file stored in a serialised form. Therefore, provided there are only a few values in the session, then it should be fine.

Some operating systems / filesystems suffer from serious performance problems when the number of files in a directory becomes too large. This might affect you if you have a huge number of concurrent sessions. In this case, you can tune the various session parameters.

Clearly the advantage of using a session variable is that it is utterly safe from unauthorised modification (although you should still be wary of session fixation and session hijack attacks). The only modifications which can be made to the session are via your code (rightly or wrongly), not by the user's browser.

You can sometimes save quite a lot of work by storing stuff in the session for later use, e.g. remembering the user's preferences etc, so you don't have to read them from a database each time. This may or may not be applicable to your exact application.

Generally speaking, worrying about performance is a bad thing to do. Don't lose sleep over it. If something becomes a problem, profile it in your test network and analyse the data to identify the problem, then either upgrade hardware, software, or do a software fix for it as you feel is necessary, checking this fix against your profiling data.

Mark