[eluser]jbowman[/eluser]
I've been thinking about sessions and databases, and think I might have come up with a solution that will work well for both performance and security reasons.
I'm trying to keep database queries down to a minimum, but I want to have session data that includes information I won't trust coming from a user supplied cookie. I also want the site to have the ability to scale horizontally for the web servers serving it, which means I need to keep the session information in a shared resource, such as a database.
I think the answer is this. User sessions get stored in the database, and cached as a file on the web server. The session process would then work like this..
Check for a session id supplied by the browser.
If the session id does not exist, start a new session.
If the session id does exist, check the local file cache for the session.
If the cache file does not exist, check the database.
If the session exists in the database, create a cache file and continue.
If the session does not exist in the database, then start a new session.
This way if you have multiple web servers, and load balancing has the user move to a different server for some reason (I'd rather not get into the persistence features of NLBs, as web servers themselves can go down), a new cache file is created as the only database request for the session.
Any thoughts or comments? I'm currently using NGSession and may try to add this functionality once I get further into the development of my site, if no one else beats me to it.