I've blocked all the other applications in the apache config. just wondering: wouldn't it be better to move the applications from the web2py git repository to somewhere else? I'm using web2py source from git (with specific tag) for my productive system and therefor also have the examples and welcome app installed. Since they are blocked it's not an issue for me but it's probably not optimal.
Concerning my session handling: I think I will modify my code to only create sessions when the user is logged in. Until now I also used the session for anonymous users to store the selected language but I can move this into a cookie. So I assume the number of sessions will be reduced from ~ 2 millions (for users, monitoring requests, crawlers and whatever) to a few thousands. This alone should solve my performance issues. Maybe I'll store the sessions in the same db after all and not in an additional redis db. I guess the performance difference is negligible, especially since there will be much fewer sessions. Alex On Wednesday, March 23, 2016 at 1:29:51 PM UTC+1, Anthony wrote: > > On Wednesday, March 23, 2016 at 1:22:27 AM UTC-4, Massimo Di Pierro wrote: >> >> It is but make sure you do not expose the welcome app. That app exposes >> (as an example) the state of the system, which includes your secret key. >> The next we2py version (this week, I promise) will prevent that. >> > > Do you mean the *examples* app rather than the *welcome* app? If so, my > understanding is that it exposes the cookie_key of the examples app itself, > not the cookie_keys of any other apps -- so the risk is not that the > session data of other apps will be compromised but that there is a > different vulnerability via the examples app (which is therefore a risk of > any installation, regardless of the type of sessions used in other apps), > no? > > Anthony > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
