Cookie Management at the Edge
I came across an interesting use case for edge compute the other day: cookie management at the edge. It probably won’t be super relevant to a ton of people, but it’s an interesting use case I wanted to share nonetheless.
Brief Background About Cookies
When most people think of cookies, they picture delicious baked morsels. But we’re not here to talk about those (unfortunately). In the context of web development, cookies are one of the options web developers have to store data.
Cookies are awesome. Compared to some of the other options, they have a lot of advantages:
- Unlike storing data in memory, cookies can persist even after the environment is reset. On the front end, this means they can withstand browser reloads, and on the back end, they can withstand service restarts or crashes.
sessionStorage, cookies can be accessed on the server side. This can allow you to create personalized experiences for users based on their cookies. Cookies can also have an
HttpOnlyflag that protects them from Cross-Site Scripting (XSS) attacks.
- Unlike a database, cookies can also be access on the client side (unless they have the
HttpOnlyattribute). This means there’s no need to make an HTTP request to re-fetch data you may already have.
- Cookies are stateless, so they work incredibly well for serverless environments because they can be handled the same across any number of serverless functions. This is great for scalability.
These characteristics make cookies a great choice for some things (and not so good for others). Today, the most common use cases for cookies are:
- Session management: Logins, shopping carts, game scores
- Personalization: User preferences, themes, and other settings
- Tracking: Recording and analyzing user behavior
If you already knew about cookies, you may recall that back in 2019, Apple implemented a feature in their Safari browser called Intelligent Tracking Prevention (ITP). It was a pretty major change in the way their browser handles cookies.
With ITP 2.1, all persistent client-side cookies, i.e., persistent cookies created through document.cookie, are capped to a seven-day expiry.
They list a number of reasons for this change that mostly deal with privacy, security, and performance. The important takeaway is that if you, as a developer, want sessions that last longer than a week, you can no longer rely on creating client-size cookies.
So how do front-end teams approach this going forward? Do we keep the logic on the client side and just let cookies expire after seven days? Do we move that logic to the back end, potentially in a different codebase or programming language?
Edge Compute to the Rescue
I was recently reading about an Akamai customer that was dealing with this exact same conundrum.
They decided to pull the cookie manipulation logic out of the front end, but instead of putting it all on their back-end system, they abstracted it away to the edge.
Black Friday and Cyber Monday are critical events for [CUSTOMER], and its website needs to use caching for several campaign pages. CDN technology allows [CUSTOMER]to provide consumers with a consistent user experience during campaigns, while EdgeWorkers manipulates cookies instead of the origin server.
The benefits here were two-fold.
Secondly, for the reasons mentioned above, these cookies needed to be set on the back end. By comparison, if you implement cookie management logic on your origin server, you are creating more work for that origin server to handle. By pushing jobs to edge servers, you can reduce some of the workload going to the origin, which can reduce costs and/or improve performance and reliability for other critical processes.
I’m not sure that this example is going to be particularly relevant to a lot of folks as it’s a pretty niche issue that you probably don’t deal with on a regular basis. Regardless, I found it interesting and thought I would share. It’s one of those bits of information I like to keep tucked away in case I need it someday.
This concept isn’t unique to Akamai, but if you want to learn more about the practical side of things, I’d recommend checking out the EdgeWorkers documentation. There is a section specifically for working with their built-in cookies module.
Originally published on austingil.com.
Credit: Source link