[PHP] Re: Definitive answer for large scale registration/authentication
Brad Hubbard wrote: Can I get some feedback on the conventional wisdom as to the best solution for high volume registration and authentication of users accessing a secure site? I have worked before with database/session based methods as well as htaccess. Which is preferred? Are there alternatives? Thanks for the feedback, Brad I guess the first thing you should help us with is defining high volume. :) 1/sec? 100 sec? Actually, this will probably have less impact on archictecture than hardware, but I'm always curious as to what 'high volume' is to different people (my own view has changed a lot over the years). .htaccess can be made to pull data from a database, so I don't think there's a clear distinction to be made there. Furthermore, if the .htaccess is using a textfile for password authentication, how many users are in it? 1,000? 1,000,000? 1,000,000,000? Using a database would be more flexible, I believe, should you need to change webservers in the future - you probably won't be moving to IIS, but hey, who knows? :) Manuel is right about the browser authentication method not being 'controllable'. If you log in with a 'challenge/response' password box, your browser will keep sending that information with every request (including graphics), and because it's in the browser, you have no easy way of forcing it to log out. Doing 'server-side' authentication and session handling is going to give you more flexibility. Our initial testing has show LDAP to be a bit faster in raw lookups for user authentication. Perhaps a combination of LDAP and a another database to store the session data would be your best bet. If you could give us more info on your hardware and requirements needs we can better assist you. Michael Kimsal http://www.phphelpdesk.com Guaranteed PHP support when you need it 734-480-9961 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Definitive answer for large scale registration/authentication
On Tue, 16 Apr 2002 23:18, Michael Kimsal did align ASCII characters thusly: I guess the first thing you should help us with is defining high volume. :) 1/sec? 100 sec? Actually, this will probably have less impact on archictecture than hardware, but I'm always curious as to what 'high volume' is to different people (my own view has changed a lot over the years). I'm aiming to be closer to 100/sec than 1/sec. If I code for 100/sec it should handle anything under that like a breeze. 100/sec is a lot of hits though. .htaccess can be made to pull data from a database, so I don't think there's a clear distinction to be made there. Do you know of any documentation on this? Furthermore, if the .htaccess is using a textfile for password authentication, how many users are in it? 1,000? 1,000,000? 1,000,000,000? Using a database would be more flexible, I believe, should you need to change webservers in the future - you probably won't be moving to IIS, but hey, who knows? :) No matter what I do it will be reliant on a (PostgreSQL database). Manuel is right about the browser authentication method not being 'controllable'. If you log in with a 'challenge/response' password box, your browser will keep sending that information with every request (including graphics), and because it's in the browser, you have no easy way of forcing it to log out. Doing 'server-side' authentication and session handling is going to give you more flexibility. I've done this sort of authentication before, but have heard conflicting reports about what is more *secure*. Your opinion on the best method? Our initial testing has show LDAP to be a bit faster in raw lookups for user authentication. Perhaps a combination of LDAP and a another database to store the session data would be your best bet. If you could give us more info on your hardware and requirements needs we can better assist you. The hardware is not really the issue here although, to begin with everything will be stored on a single machine (dedicated AMD K6 3D with 256MB RAM). This can be upgraded as required. I'm interested in what is considered to be the best authentication scheme (in terms of speed and security) for a server taking a lot of hits (let's say 100 minute) and having a large number (10,000+) of registered users? Keep the feedback coming, I would like to see some level of consensus on a scheme ;-) Cheers, Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Definitive answer for large scale registration/authentication
Hello, Brad Hubbard wrote: Can I get some feedback on the conventional wisdom as to the best solution for high volume registration and authentication of users accessing a secure site? I have worked before with database/session based methods as well as htaccess. Which is preferred? Are there alternatives? Probably the fastest way to keep session profile information is by serializing the data array into a string that will be encrypted and then stored in cookie. The security weakness of this method is that if the secret key leaks, hackers may use to forge new sessions. A more secure but eventually less scalable method is to store the session data in a shared memory cache, so you minimize database accesses to just one after the server is restarted. This is probably the one you want to use as long you know how to deal with shared memory and semaphores. Regards, Manuel Lemos -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php