On Fri, Jan 28, 2011 at 1:15 PM, tsuraan <[email protected]> wrote: > Well, that's certainly timely :) I'm not sure if the API is still up > for discussion, but the ability to do "setTimeout 0" to disable > timeouts entirely would be nice (most socket APIs allow this). It's > not a big problem to set it to some absurdly high number, but allowing > for 0 is somewhat standard. And maybe that does work and I missed it, > but I didn't see any special handling of 0 in there.
Since it's so new, I'm sure he'd be willing to give adequate consideration to reasonable requests. My understanding is that the issue with zero timeouts has to do with resistance to DOS attacks, specifically things like slowloris (http://ha.ckers.org/slowloris/). If you don't time out then I think you're automatically vulnerable to this attack. There may be an argument for allowing it to be disabled though. In our tests, the timeout code imposes a pretty substantial performance penalty, so if we supported disabling it, we'd also probably want to do it in such a way that the timeout code wouldn't even be executed. This would be a logical thing to do to get maximum performance from servers of web services behind firewalls that are not exposed to malicious clients. _______________________________________________ Snap mailing list [email protected] http://mailman-mail5.webfaction.com/listinfo/snap
