Signed session cookies. A good idea?

Question

In an effort to increase performance, I was thinking of trying to eliminate a plain \'session cookie\', but encrypt all the information in the cookie itself.

A very

Answer 1

I know this question is very old now but I thought it might be a good idea to update the answers with a more current response. For anyone like myself who may stumble across it.

In an effort to increase performance, I was thinking of trying to eliminate a plain 'session cookie', but encrypt all the information in the cookie itself.

Now for the big question: is this a bad idea?

The short answer is: No it's not a bad idea, in fact this is a really good idea and has become an industry standard.

The long answer is: It depends on your implementation. Sessions are great, they are fast, they are simple and they are easily secured. Where as a stateless system works well however, is a bit more involved to deploy and may be outside the scope of smaller projects.

Implementing an authentication system based on Tokens (cookies) is very common now and works exceedingly well for stateless systems/apis. This makes it possible to authenticate for many different applications with a single account. ie. login to {unaffiliated site} with Facebook / Google.

Implementing an oAuth system like this is a BIG subject in and of itself. So I'll leave you with some documentation oAuth2 Docs. I also recommend looking into Json Web Tokens (JWT).

extra

A last note: I'm trying come up with solutions to decrease database load. This is only one of the solutions I'm investigating

Redis would work well for offloading database queries. Redis is an in memory simple storage system. Very fast, ~temporary storage that can help reduce DB hits.