The 2.1 Authentication Framework has many significant advantages over the previous system. One major issue that I have not seen addressed is authentication caching. Mod_auth_ldap implements their own caching scheme, and I have been considering creating my own for mod_authn_dbi.
I believe that authentication caching should not be left up to 3rd party modules, but rather part of the authentication framework. Caching of authentication results is very important for modules that connect to a database or other limited resource on every request. Even if the module uses persistent connections, offloading queries is never a bad thing. Instead of forcing each module to develop this independently, why can't Apache provide this as part of the core server? Desired features: -Timeouts -Memory Limits -The end user configurable -Portable -Requires no modification to existing modules(ie it is implemented at the mod_auth level instead of changes to each module.) If authentication caching is done nicely the performance impact can be very helpful for many modules. Even if the default timeout is a couple minutes, sending one SQL query over ten pages views instead of ten queries is a major advantage for the small cost of increased memory usage. I have discussed this with a couple people in IRC, and they all recognized the potential advantages to authentication caching at the core apache server level. There are a couple problems with auth caching like making sure a user is not masquerading as another, changing of IP addresses by evil proxies, and it would be difficult to know about instantaneous changes of a users password. I am willing to code much of the cache system if there is signifigant interest in it. -chip
