David Chisnall (*Now with 50% more sarcasm!*)@simon_brooke @aral 64 bits is not enough for a vaguely secure system. Cookies are not under the server's control. If you are using 56-bit user ID and that's there as raw data trusted on the host, then it's easy for an attacker on any site with a non-trivial number of users to just send random numbers in the cookie and hijack existing sessions. Remember the birthday paradox.
128 bits is probably fine, since that would let you store an ephemeral UUID.
That said, a 128-bit limit require that you store all state on the server. No equivalent of local storage means that things like disconnected operation for web apps is not feasible. Maybe that's a goal, but I'd generally prefer to minimise the amount of server state (which is not under my control) rather than minimise the amount of client state (which is mine to inspect).
Aral Balkan
All 076萌SNS content and data are available under the