Right now user sessions are supported through encrypted/signed cookies. There is a cost associated with this strategy which is not negligible : the password as to be verified for each request, and we must keep a verification cost high enough so that hashes can't be brute forced. Right now the cost is about 100ms per verification.
With token based sessions, this cost goes away and we can even increase the password verification time since it will happen only upon login
jvelo
commented
8 years ago
Right now user sessions are supported through encrypted/signed cookies. There is a cost associated with this strategy which is not negligible : the password as to be verified for each request, and we must keep a verification cost high enough so that hashes can't be brute forced. Right now the cost is about 100ms per verification. With token based sessions, this cost goes away and we can even increase the password verification time since it will happen only upon login