Advantages of using the distributed session cache to maintain session state

Advantages of using the distributed session cache to maintain session state

The distributed session cache solution has many advantages over the failover cookies solution for maintaining session state.

Topic Failover cookies Distributed session cache

Security Slightly less secure than the distributed session cache as identity information is stored in an encrypted cookie. Provides defense in depth with the distributed session cache located behind the DMZ.

Failover between WebSEAL instances Higher CPU usage is required for WebSEAL to decrypt the failover cookie. A new session is established, which means that we do not share session semantics such as timeout information with other WebSEAL instances. The distributed session cache shares sessions rather than using a single sign-on mechanism. Session semantics such as timeout information are shared between the various WebSEAL instances.

Session policy

No concurrent session policy enforcement.
No central administration of sessions.

Concurrent session policy enforcement.
Central management of sessions, including session termination using the dscadmin tool.
We can list the number of failed login attempts on an account since a successful login.

Maintenance Requires periodic renewal of failover cookie keys in line with corporate policy. This process is manual. The distributed session cache does not require encryption keys.

Cookies The failover cookie is larger than the distributed session cache session cookie. The failover cookie can be configured to include many attributes, which can significantly increase its size. The distributed session cache uses a basic session cookie, which is relatively small. The cookies in a distributed session cache environment are typically less than 100 bytes.

Logout In browser scenarios, we cannot successfully log out with failover cookies turned on. We can logout from browser session when we use the distributed session cache.

Parent topic: Distributed session cache overview

Topic	Failover cookies	Distributed session cache
Security	Slightly less secure than the distributed session cache as identity information is stored in an encrypted cookie.	Provides defense in depth with the distributed session cache located behind the DMZ.
Failover between WebSEAL instances	Higher CPU usage is required for WebSEAL to decrypt the failover cookie. A new session is established, which means that we do not share session semantics such as timeout information with other WebSEAL instances.	The distributed session cache shares sessions rather than using a single sign-on mechanism. Session semantics such as timeout information are shared between the various WebSEAL instances.
Session policy	No concurrent session policy enforcement. No central administration of sessions.	Concurrent session policy enforcement. Central management of sessions, including session termination using the dscadmin tool. We can list the number of failed login attempts on an account since a successful login.
Maintenance	Requires periodic renewal of failover cookie keys in line with corporate policy. This process is manual.	The distributed session cache does not require encryption keys.
Cookies	The failover cookie is larger than the distributed session cache session cookie. The failover cookie can be configured to include many attributes, which can significantly increase its size.	The distributed session cache uses a basic session cookie, which is relatively small. The cookies in a distributed session cache environment are typically less than 100 bytes.
Logout	In browser scenarios, we cannot successfully log out with failover cookies turned on.	We can logout from browser session when we use the distributed session cache.