What are the advantages and disadvantages of storing session variables in the database?

8

As of Rails 4.0, the ActiveRecord Session Store , which saved session variables in the database, was deleted by "performance issues." But the functionality continues to work through a gem . Today Rails uses the Cookie Session Store .

  

ActiveRecord session store - The ActiveRecord session store is extracted to a separate gem. Storing sessions in SQL is costly. Instead, use cookie sessions, memcache sessions, or a custom session store.

     

Source: link

Translated:

  

ActiveRecord session store - The ActiveRecord session store has been moved to a separate gem. Storing sessions in the database is costly [in terms of performance]. Instead, use sessions based on cookies, memcache sessions, or a custom session .

In spite of this, I find references on the web saying that its use is still recommended (to avoid session hijacking , for example). The Rails security guide itself ( link ) seems to suggest this, though it does not name the gem in>.

After all, is it really advantageous to use the database to save session variables, such as the id of the logged in user, etc? Does the performance cost become noticeable?

    
asked by anonymous 03.11.2014 / 11:52

2 answers

2

I'm not a web expert, but I think I can contribute to the issue.

Sessions in the database

Advantages

  • Easy scalability Since it is not an application that uses database replication, it is simpler to store the data in a resource that is shared between the servers.
  • Ease of implementation Controlling a session via bank generates a simpler implementation, based on queries and sql commands, something that most developers know well

Desvantangens

  • Slow Being a shared resource, if the amount of reads and writes is too large, the "advantage" of being a shared resource can cause slowdowns on all servers by overloading the database. li>
  • Layer Violation Technically, the database is a persistence layer, not a middle or staging resource. Thus, sites that do not need to serialize their access, requesting data at the base, begin to demand even where there is no need

Alternatives

Reddis : is an in-memory data server, distributed with high speed, open source persistence option and maintained by Pivotal Software Source : Wikipedia

Memcached : Free and open source distributed object caching system. Source: link

Do not use the session, but rather keep the data in the client app and use Basic, Digest, or Token Authentication

    
06.11.2014 / 19:20
0

The main use for session in bd is when you want to share the session between more than one application.

It is also possible to use to store more data than cookies permiterm (4k)

As for performance, it is noticeable if it is measured in tools like newrelic, for the end user depends a lot on what the application does.

If for any reason you need to store sessions other than cookies, use memcached.

Here's an example of how to do it: link

    
03.11.2014 / 13:04