> Since it's so new, I'm sure he'd be willing to give adequate > consideration to reasonable requests. > > My understanding is that the issue with zero timeouts has to do with > resistance to DOS attacks, specifically things like slowloris > (http://ha.ckers.org/slowloris/). If you don't time out then I think > you're automatically vulnerable to this attack.
That is true. I wonder if it would be possible to only have a timeout apply to only the time it takes for receiving HTTP headers; for my purposes (and I'm guessing it's pretty common), that would be sufficient to determine whether the connection is authorized, which can at least provide some protection against DOS. If timeouts are disabled entirely, it would still be possible to wrap a timeout around the getCookie function to provide that much functionality, right? > There may be an > argument for allowing it to be disabled though. In our tests, the > timeout code imposes a pretty substantial performance penalty, so if > we supported disabling it, we'd also probably want to do it in such a > way that the timeout code wouldn't even be executed. This would be a > logical thing to do to get maximum performance from servers of web > services behind firewalls that are not exposed to malicious clients. If disabling timeouts could provide a performance boost, that would certainly be a good argument to allowing for a setTimeout of 0 rather than just doing it with a really high number. Assuming the other trade-offs make sense, of course. _______________________________________________ Snap mailing list [email protected] http://mailman-mail5.webfaction.com/listinfo/snap
