How does the "reference implementation" of ASP.NET actually work? Is the cookie's value mapped to some in-memory entry in the application server, is it stored in a database, etc? It seems that the article doesn't say.
> Is the cookie's value mapped to some in-memory entry in the application server, is it stored in a database, etc?
Neither. At login the server signs the new session cookie with a secret application key. Later, when a client requests a page and sends over the session cookie, the server verifies the signature. If it matches, the data in the session cookie -- which usually includes the username, whether they're logged in, and for how long -- can be trusted.
This is nice because it makes scaling a stateful site easier. Server-side session stores often become the bottleneck. Also, from a REST standpoint, updating a session database during a GET request (eg to freshen the session) is problematic.
ASP.net was the first time I remember seeing the signed session cookie trick, but most web frameworks have it now:
Neither. At login the server signs the new session cookie with a secret application key. Later, when a client requests a page and sends over the session cookie, the server verifies the signature. If it matches, the data in the session cookie -- which usually includes the username, whether they're logged in, and for how long -- can be trusted.
This is nice because it makes scaling a stateful site easier. Server-side session stores often become the bottleneck. Also, from a REST standpoint, updating a session database during a GET request (eg to freshen the session) is problematic.
ASP.net was the first time I remember seeing the signed session cookie trick, but most web frameworks have it now:
django -- https://docs.djangoproject.com/en/dev/topics/http/sessions/#...
rails -- http://guides.rubyonrails.org/security.html#session-storage
flask -- http://flask.pocoo.org/docs/api/#sessions
node -- https://github.com/mozilla/node-client-sessions
mojolicious -- http://toroid.org/ams/etc/mojolicious-session-cookies