On Tue, 16 Apr 2002 23:18, Michael Kimsal did align ASCII characters thusly:
> I guess the first thing you should help us with is defining "high
> volume".  :)  1/sec?  100 sec?  Actually, this will probably have less
> impact on archictecture than hardware, but I'm always curious as to what
> 'high volume' is to different people (my own view has changed
> a lot over the years).

I'm aiming to be closer to 100/sec than 1/sec. If I code for 100/sec it 
should handle anything under that like a breeze. 100/sec is a lot of hits 

> ".htaccess" can be made to pull data from a database, so I don't think
> there's a clear distinction to be made there. 

Do you know of any documentation on this?

> Furthermore, if
> the .htaccess is using a textfile for password authentication, how many
> users are in it?  1,000?  1,000,000? 1,000,000,000?  Using a database
> would be more flexible, I believe, should you need to change webservers
> in the future - you probably won't be moving to IIS, but hey, who knows? :)

No matter what I do it will be reliant on a (PostgreSQL database).

> Manuel is right about the browser authentication method not being
> 'controllable'.  If you log in with a 'challenge/response' password box,
> your browser will keep sending that information with every request
> (including graphics), and because it's in the browser, you have no easy
> way of forcing it to log out.  Doing 'server-side' authentication
> and session handling is going to give you more flexibility.

I've done this sort of authentication before, but have heard conflicting 
reports about what is more *secure*. Your opinion on the best method?

> Our initial testing has show LDAP to be a bit faster in raw lookups for
> user authentication.  Perhaps a combination of LDAP and a another
> database to store the session data would be your best bet.  If you could
> give us more info on your hardware and requirements needs we can better
> assist you.

The hardware is not really the issue here although, to begin with everything 
will be stored on a single machine (dedicated AMD K6 3D with 256MB RAM). This 
can be upgraded as required.

I'm interested in what is considered to be the best authentication scheme (in 
terms of speed and security) for a server taking a lot of hits (let's say 100 
minute) and having a large number (10,000+) of registered users?

Keep the feedback coming, I would like to see some level of consensus on a 
scheme ;-)


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to