You need to sign in or sign up before continuing.
Shift session storage into cookies?
The status quo is that we store Rails sessions in Redis as serialized Ruby objects. Not 100% sure about the serialization, but I can see it's essentially a hash map.
To save memory in Redis, I suggest we change that to the following:
- sessions get an ID, and we only store this in Redis: key
SESSION_PREFIX:SESSION_ID
, value `` (empty string) - all other data gets stored in a signed or signed+encrypted cookie:
sign_and_encrypt({"session_id":SESSION_ID, "payload":ACTUAL_SESSION_DATA})
If we do that we push the storage cost of the session into the user's browser, which should scale better.
When GitLab retrieves the session it checks the signature, decrypts, checks if the session ID is found in Redis. Only then deserialize the session and accept it. Otherwise tell the browser to delete the cookie.
Edited by Jacob Vosmaer