The way I am handling web sessions is by embedding an "ephemeral session id" and a username in a web token and having that same id set as a separate cookie. When a request is received by the server then the "session id" embedded in the token is compared with the value stored in that separate cookie. If that matches then the username is extracted from the token. In response to that request, a new session id is generated and a new token is created and the value of a separate cookie is set to this new session id.
I have following questions:
- Do you see problems with this approach?
- Are there better ways to handle sessions without storing state on servers?
- Is maintaining session information on the server better than making server state-less?
- What is the advantage of one over the other?
Aucun commentaire:
Enregistrer un commentaire