Hi,

I am developping a new web service and I plan using sessions, however I never find any information on what the maximum size should be.

I plan having ~ 300-400 active sessions at a time with 10,000-20,000 open sessions (24hours session).

I'd like to store in sessions some basic information about the user to avoid SQL query each time a new page is loaded (to lower load and get more speed too). The stored session's array would contain about 300 characters.

Is it the best practice to keep the data in sessions or should I use a different approach ?

What number of concurrent sessions is prefered ? What max size ?

I guess it's mostly related to RAM size..

If you have any URL with such info (about sessions best practices), I'd really appreciate.


Thanks,

G

I plan having ~ 300-400 active sessions at a time with 10,000-20,000 open sessions (24hours session).
What do you mean exactly by this? Is it 300 to 400 sessions or 10.000 to 20.000?

Is it the best practice to keep the data in sessions or should I use a different approach ?
If it isnt security critical you could also store it in a cookie, but I wouldnt recommend it.

What number of concurrent sessions is prefered ? What max size ?
The maximum size will probably depend on the system's resources. However there is no preference on concurrent sessions as this will depend on the maximum number of users you can/want to support.

I guess it's mostly related to RAM size..
Not necessarily, as the default session handler stores the data in the file system

Sessions are temporary cookies. Info about the session is for the most part stored on the clients computer, then your server reads it off of their computer like a cookie. I would recomend using a cookie that expires after 24 hours as opposed to a session because they are more flexable. The only advantage to a session is that they could be set up to store information even if the client's computer doesn't accept cookies.

zoid:

thanks, I didn't know the data was stored in 'files' I though it was 'volatile'.

HIU-Daniel:

thanks but this is not true, only the session ID is stored in the cookie, not the data associated with the session.


G

zoid:

thanks, I didn't know the data was stored in 'files' I though it was 'volatile'.
Actually it depends on the implementation. Tomcat keeps the session data in memory, hence they can be considered as temporary. However in PHP they are stored on the file system by default (please see http://www.php.net/manual/en/ref.session.php for more details). By extending the session handler you can introduce custom handling however and store the data in memory, databases or other places (there is a handler for PostgreSQL (http://www.php.net/manual/en/ref.session-pgsql.php) for example).

HIU-Daniel:

thanks but this is not true, only the session ID is stored in the cookie, not the data associated with the session.
Exactly, sessions never store any information at the client except for the session id. And even this doesnt need to be stored as cookie.

I was having the same question a couple of weeks ago and I'm glad that the subject is open!