Hi all! designing sessions is very essential for all modern webapps, however there is very little discussion about it. Let's assume that a webapp uses HTTPS by default (i.e. no worries about eavesdropping or modifying cookies).
Let's say I just want to design a session that stores only user id, what's the best method to design sessions? from what I know:
clearly the main disadvantage is I have to go to the database every http request and check the session ID. Sure I can use Redis to cache session ids, but also I have to implement a write through logic if I happen to update the session content so that Redis and the DB are synchronized
just generate a random session id (long enough let's say more than 20 ascii chars) and store it in a cookie.
same as Django but also adds HMAC to the session id cookie (isn't this redundant for a HTTPS connection?)
lots of hate and critic about it even though it sounds pretty secure and more performant, and I am not sure how many respectable websites that actually implement it
What do you recommend? what's the current recommended method for designing session logic for a website (hopefully that could be extended to a mobile app) in 2018?