On 05.10.2012 00:22, Howard Lewis Ship wrote: > On Thu, Oct 4, 2012 at 3:18 PM, Massimo Lusetti <[email protected]> wrote: >> On Thu, Oct 4, 2012 at 9:04 PM, Howard Lewis Ship <[email protected]> wrote: >> >>> Users will want to configure their private pass phrase using a newly >>> defined symbol. If left unconfigured, there will be a runtime error >>> logged (not an exception, just an error to encourage users to select a >>> private pass phrase). >> >> Why not generate a random string if not supplied. >> Doesn't it work better then the "DEFAULT" string? > > That would not work in a cluster; different servers in the cluster > would not be able to read each other's streams. Yes, usually, its > based on sticky sessions, but even then, there's fail-over to > consider. Also, a server restart would not only lose client sessions, > but would generate a new random key, so any forms would become > unsubmittable even if they did not depend on server-side session > state.
We could store a randomly generated key in the session for those requests where a session exists. If none exists use the default. I know, we are trying to store as little as possible inside the session, but the few bytes of the key shouldn't be a problem. Uli --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
