Good alternative for user session in high traffic web application?

What would be good/scalable user session alternative in following scenario:

• users don't have to have cookies enabled
• URL query string restriction of 255 characters is imposed
• lot of GET requests (no hidden form fields)
• application runs on several servers (web farm)
• some users connect over proxy (same IP)
• users connect over HTTPS
• 50 000 conc开发者_JAVA技巧urrent users

If you can guarantee that the client always connects to the same web server, you can use the SSL ID as a simple session tracking mechanism. Some web servers expose this capability and automatically use it for session tracking when cookies aren't supported.

The only solution that will work no matter what is to include a session ID in the URL itself. Adding a parameter to the URL is the simplest way to do this, but the ID can be embedded anywhere in the URL, i.e. as part of the path. You would use this ID to fish information about the user out of a database.

You will run into the usual problems, of course, with ID spoofing and having the session database be a bottleneck.

First, IMHO, there is no good alternative to session. The question is how do you obtain it when cookies are disabled. The answer is using URL parameter. So, you have to append session id to each request (including links and forms). All other requirements are not really relevant. Make your logic stateless, so you do not have scalability problems: all requests should arrive to your logic via load ballancer, so you can add as many servers as you want.

Maybe URL Rewriting or some URI shortening mechanism like http://tinyurl.com or http://goo.gl so you can pass your session details well under 255 chars.
Note: Not recommending to use these services but the mechanism.

First of all, your requirements are very tight. The only option I see is using an approach like this: http://code.google.com/p/seaside/

In short: your system will generate statless urls like http://host/app/@123445568978 Then you will go on the db to get the session object.

50000 users doing what? Continuous drag-and-drop with position updates to the server or clicking a text link every 15 minutes? In the last case: move everything onto a single server with a lot of ram.