sessions/cookies and sharing files between multiple servers

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Ben Holness
    #1

    sessions/cookies and sharing files between multiple servers

    Hi all,

    I have a php/mysql website where people can upload their own graphics for
    the buttons and background of pages on the website.

    This used to run on one server, but I have now been asked to set it up on
    multiple servers.

    The problem is that when someone uploads a file, how do I distribute it to
    all of the servers? Should I use php to send it to all of the servers once
    it has been uploaded, or is there a better way of synchronizing the files
    between all of the servers?

    Also, I am not sure how autologin (based on cookies) and sessions will
    work when distributing across multiple servers, as my understanding is
    that these are on a per domain basis? (i.e. if someone goes to
    node1.site.com and hits autologin, but next time gets node3, the cookie
    wont be picked up?)

    Any pointers appreciated!

    Cheers,

    Ben
    Tags: None
    • David T. Ashley
      #2
      Re: sessions/cookies and sharing files between multiple servers

      "Ben Holness" <usenet@bens-house.org.ukwro te in message
      news:pan.2006.1 1.03.10.09.57.3 87831@bens-house.org.uk...
      Also, I am not sure how autologin (based on cookies) and sessions will
      work when distributing across multiple servers, as my understanding is
      that these are on a per domain basis? (i.e. if someone goes to
      node1.site.com and hits autologin, but next time gets node3, the cookie
      wont be picked up?)
      I looked up PHP's native session support, I'm not seeing a way that this
      will do the trick for you.

      When you create a session across multiple servers, you are concerned with:

      a)Is the session identifier guaranteed unique (so that you can't
      accidentally create two sessions on two servers with the same session
      identifier).

      b)How is the session identifier verified as valid by the server. Two
      possibilities, not mutually exclusive:

      b1)Hashing scheme--hash part of identifer must match other context.

      b2)Server state--server remembers which sessions it has issued.

      c)Can a user "forge" a session identifier? What will the consequences be?

      d)If a user "sniffs" a session identifier or gets it from a URL or some
      other means, can it be reused, perhaps concurrently from another machine
      used for an attack. (One helpful discouragement: server remembers which IP
      a session belongs to.)

      If I'm understanding your problem correctly, (b2) implies that the servers
      must communicate somehow, whereas (b1) does not.

      Easiest solution is probably to assign session identifiers so that session
      identifiers are something like.

      $small_random_n umber . MD5(SECRET_STRI NG . $connecting_ip .
      $small_random_n umber)

      where you distribute the same "SECRET_STR ING" to all the servers.

      Each server can authenticate a session identifier issued by another server,
      with no communication required between the servers.

      But if you require the sessions to hold server-side state that all the
      servers know about, and if you require a person to be able to log out ...
      you need some communication between the servers.

      It is possible to roll your own session handling. I'm working on a database
      right now:

      http://fboprimedevel.e3ft.com


      The session code is here:

      http://fboprime.e3ft.com/vcvsgpl01/viewcvs.cgi/gpl01/webprojs/fboprime/sw/phplib/sess.inc?rev=1.23&content-type=text/vnd.viewcvs-markup


      http://fboprime.e3ft.com/vcvsgpl01/viewcvs.cgi/gpl01/webprojs/fboprime/sw/phplib/sessx.inc?rev=1.2&content-type=text/vnd.viewcvs-markup


      You can roll your own ... it works just fine to do that.

      But you need to settle (a) through (d) above. (b2) will require
      communication between the servers.

      Post back if anything unclear.

      Dave.



        Comment

        • Gordon Burditt
          #3
          Re: sessions/cookies and sharing files between multiple servers

          >I have a php/mysql website where people can upload their own graphics for
          >the buttons and background of pages on the website.
          >
          >This used to run on one server, but I have now been asked to set it up on
          >multiple servers.
          Why? The reason matters. If it's a matter of more horsepower with lots
          of little machines rather than one huge one, that's one thing. If it's
          redundancy for extreme reliability, that's another.
          >The problem is that when someone uploads a file, how do I distribute it to
          >all of the servers? Should I use php to send it to all of the servers once
          >it has been uploaded, or is there a better way of synchronizing the files
          >between all of the servers?
          NFS shared filesystem? Or you divide the files between the systems?
          >Also, I am not sure how autologin (based on cookies) and sessions will
          >work when distributing across multiple servers, as my understanding is
          >that these are on a per domain basis? (i.e. if someone goes to
          >node1.site.c om and hits autologin, but next time gets node3, the cookie
          >wont be picked up?)
          If you're using a round-robin DNS scheme or something fancier with
          routers and switches for load-balancing, the browser won't know the
          difference between node1.site.com and node3.site.com, because it
          thinks they're all node.site.com, and you won't have an issue with
          domains. Otherwise, use domain cookies rather than individual host
          cookies for the session cookie.

          It is possible to use a session save handler to put session data
          in a MySQL (or other) database rather than a bunch of little files.
          If you share this database between webservers, one login can work
          across several machines. Also, putting the session data in a
          database makes it much easier to expire old data.

            Comment

            • Ben Holness
              #4
              Re: sessions/cookies and sharing files between multiple servers

              Why? The reason matters. If it's a matter of more horsepower with lots
              of little machines rather than one huge one, that's one thing. If it's
              redundancy for extreme reliability, that's another.
              Mainly horsepower, but it does also provide some redundancy, which is nice
              NFS shared filesystem? Or you divide the files between the systems?
              That's probably the solution that I will use, a couple of people have
              suggested it. I was also thinking about unison or rysnc, but I think NFS
              will suit better :)

              Thanks for the comments. I am thinking that to make the session stuff
              easier, I might just keep the user on one server once they have logged in,
              but have PHP dynamically choose a node to load an image and run DB queries
              from...

              Cheers,

              Ben

                Comment

                Previous template Next
                Working...