undefined | Better HN

0 pointshellweaver66615y ago0 comments

In your post you say:

>> create a cart in the session (bad, bad, bad)

Sorry to be a total n00b, but why is it bad to keep the cart in a session? What do you suggest as an alternative?

0 comments

5 comments · 2 top-level

kls15y ago· 3 in thread

Server side session is a outcrop of the idea that the client is dumb philosophy, as such, the server has to "approximate" the client, this leads to many counter intuitive patterns like session. By far the worst evil is the fact that you have no guaranteed destructor because you have an approximation. So if the client wanders off, you have no way to clean up based on that event other than a brute force timeout. Further session by nature has no way of self governance. For example, I cannot wire an object in session to be cleaned by an observer once an action happen, so a natural byproduct of this is that you get "junk" in the session that all live processes that have reference to it have terminated thereby leaving a zombie.

kls15y ago

Sorry for replying to my own post but I did want to touch a little further on this subject. above I stated:

So if the client wanders off, you have no way to clean up based on that event other than a brute force timeout.

A common rebuttal to this is well just sprinkle in an AJAX call. Which in my opinion is the worst decision one can make. Now not only are you supporting a server model but you also have client mode sprinkled in which compounds the complexity of you application significantly, in essence doubling your technology stack. This is the choice a lot of developers make when trying to dabble in RIA and it is my held belief that this is a fatal mistake. It doubles the required skill set and creates convolution in the sequences of application communication.

mhansen15y ago

By 'an AJAX call', do you mean having the client periodically ping the server, and then cleaning up the session if the ping times out?

1 more reply

sqrt1715y ago

Well, nowadays you can encrypt and sign sessions and store the signed/encrypted data on your client side (or non-encrypted cookies if you want them to be modifiable from the client side). As long as it's more difficult to fake session data than to buy working credit card numbers, you're fine (at least once you've taken care of XSS attacks, which I take to be no less of a problem in a single-page site).

Wow. Did I just point out that cookies have legitimate and valid uses? My self from 10 years ago would run after me with a shovel and yell that cookies are evil. (Incidentally, the opinion of my self from 10 years ago about Javascript would be exactly the same).

mhansen15y ago

He suggests keeping the cart clientside in (e.g.) a javascript array.

j / k navigate · click thread line to collapse

0 comments

5 comments · 2 top-level

kls15y ago· 3 in thread

kls15y ago

Sorry for replying to my own post but I did want to touch a little further on this subject. above I stated:

So if the client wanders off, you have no way to clean up based on that event other than a brute force timeout.

mhansen15y ago

By 'an AJAX call', do you mean having the client periodically ping the server, and then cleaning up the session if the ping times out?

1 more reply

sqrt1715y ago

mhansen15y ago

He suggests keeping the cart clientside in (e.g.) a javascript array.

j / k navigate · click thread line to collapse