I need to deploy a new website in AWS with Elastic Beanstalk. We have 4 machines and a load balancer in front. I need to use session/cookie, but I don't want to use a database (Redis or MongoDb) to store the session-cookie.
I need something like this:
Session information stored in cookies only: Session information (not just a session identifier) is stored in a user's cookie. For example, the user's cookie might contain the contents of their shopping basket. To prevent users tampering with the session data, a HMAC may be provided along with the cookie. This method is probably least suitable for most applications:
- No backend storage is required
- The user does not need to hit the same machine each time, so DNS load balancing can be employed
- There is no latency associated with retrieving the session information from a database machine (as it is provided with the HTTP request). Useful if your site is load balanced by machines on different continents.
- Encryption has to be employed if a user should not be able to see the contents of their session
- The amount of data that can be stored in the session is limited (by the 4K cookie size limit)
- HMAC (or similar) has to be employed to prevent user tampering of session data Since the session data is not stored server side, it's more difficult for developers to debug
I'm using PassportJs with a LocalStrategy, but I don't found information about this kink of cookie (always about storing in Redis or similar).
Can you please tell me how to implement this mechanism?
Thanks.
via chemitaxis
No comments:
Post a Comment