Rocket has a longer default wait time before it closes connections in comparison to CherryPy. You might check web2py code, it is not likely using the same default timeout as Rocket proper. See: http://packages.python.org/rocket/usage.html#timeout
This is a DoS vulnerability on CherryPy but not Rocket because Rocket pushes waiting threads to a monitor queue so that they don't occupy worker threads. The monitor queue can easily handle the socket limit of connections. In this manner, Rocket can handle many thousands of connections without causing new connections to have to wait as CherryPy does. There is a limit on number of active connections, but that limit is the number of worker threads which is configurable: http://packages.python.org/rocket/usage.html#max-threads The timeout mentioned in the link above is a timeout based on inactivity between http requests. So the long requests that Iceberg is seeing are perfectly normal and acceptable. Browsers such as Chrome and FF will leave a connection open for quite some time or until the tab is closed (even if the user has browsed away from the Rocket-running server domain). Rocket basically wants to keep those connections open since they don't cost significantly to wait in the monitor queue. -tim On Jul 3, 9:35 am, mdipierro <mdipie...@cs.depaul.edu> wrote: > Let's wait for Tim to respond. The timeout should be enforced. > > On 3 Lug, 09:07, Iceberg <iceb...@21cn.com> wrote: > > > > > Thanks for clarifying. And I take a glance into gluon/widget.py, > > main.py and rocket.py to confirm there is some timeout=10. So from the > > design aspect, I'd better avoid expecting a long-run request to finish > > my app's time-consuming maintenance job. > > > On the other hand, I confirmed that, with latest trunk, running > > Windows XP, my maintenance request did last for more than 10 seconds, > > magically. Does it indicate the DoS-resistant timeout fuse somehow > > fail? Do you think it is ok or unacceptable? > > > My maintenance job's log: > > WARNING:root:job.id=33, elapsed=18.8129999638 s > > > Another evidence in web2py/httpserver.log > > 127.0.0.1, 2010-07-03 21:49:20, GET, /myapp/default/longrun, HTTP/ > > 1.1, 200, 21.750000 > > > Regard, > > Iceberg > > > On Jul3, 8:31pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > > The web server threads MUST have a timeout (the shorter the better) > > > else they are vulnerable to denial of service attacks. > > > > On 3 Lug, 06:23, Iceberg <iceb...@21cn.com> wrote: > > > > > Hi Candid and everyone, > > > > > Candid mentioned "rocket should close the connections if request is > > > > taking longer than 10 seconds (default timeout)" in here [1]. Would > > > > somebody clarify, is that true? > > > > > My concern is that, one of my old app need some periodical maintenance > > > > job which could take dozes of seconds to finish. I knew the normal > > > > solution is run another daemon for that, but, for simplicity reasons, > > > > I still chose to use web2py 's builtin cron feature to > > > > visithttp://localhost:8000/myapp/default/maintenanceeveryhour. This > > > > trick > > > > worked well on my windows XP development laptop. I don't know whether > > > > situation is changed since then. > > > > > [1]http://groups.google.com/group/web2py/msg/0416ed025f3e33f8 > > > > > Regards, > > > > Iceberg
