The size of stateless sessions is critical as the total size of cookies from one domain in a browser is around 4KB. The minimum size of a stateless session cookie is around 1.5KB currently, or just over 1KB if deflate compression is used. However, there are a number of inefficiencies that could be removed to reduce this even further:
- The legacy session format "wrapper" that we use includes an additional encrypted string that is completely unused in stateless sessions (64 bits plus IV = 32 bytes, hex-encoded = 64 bytes)
- An additional round of c66 encoding is applied on top of the JWT's base64url encoding, which is pointless as the JWT is already url-safe, and is not losslessly reversible, resulting in damage to the JWT that has to be repaired.
- The JWT library serialises claims and headers with additional whitespace around claim key/values and punctuation. Removing this would shrink the JWT without compression and appears to be a win even with compression enabled.
- The stateless session JWT contains a session handle property, which can never be used for stateless sessions.