Cookie-Only Sessions Pros/Cons/Summary

Beaker offers an option to use encrypted cookie-only sessions. These sessions are encrypted in such a way that allegedly the user cannot view or modify the information inside the cookie. The documentation discusses these in little details, and I am having trouble finding a list of pros/cons regarding these types of sessions.

I can see the benefit in that it allows your servers to be more disposable, allowing for a greater degree of horizontal scalability. Also, there is lightened complexity on the server-side architecture since you don't need to account for storage/management of the sessions.

On the other hand, there is some request overhead due to the fact all the info needs to be sent on every request. The session values cannot be changed purely server-side, so require a request to be modified. I have concerns with session hijacking, and also, there is a size limit.

I would imagine 开发者_Go百科this topic has been covered somewhere in some type of summary. Does anybody know of such a summary? Would anybody have any additional pros/cons to add? Does anybody know of any mainstream sites that use such an approach?