cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reinhard Poetz <>
Subject Re: Counter-based continuation IDs (was Re: Load-testing flowscript webapps)
Date Wed, 04 Aug 2004 10:59:42 GMT
Sylvain Wallez wrote:

> Reinhard Poetz wrote:
>> Sylvain Wallez wrote:
> <snip/>
>>> My idea is to write a special implementation of ContinuationManager 
>>> that would produce IDs based on a counter stored in a session 
>>> (meaning each user has a different counter). That way, one can 
>>> record a test scenario using JMeter in proxy mode, and replay it 
>>> with no modifications.
> <snip/>
>> After some more thinking about this I remembered that we discussed to 
>> put the continuations of a user into its session. This is also a 
>> requirement to make Cocoon Flowscript apps capable of being clustered.
>> <hint>Wouldn't this be nice feature</hint> :-)
> As Gianugo says, there's a long way to go before being clusterizable 
> (could be easier with javaflow than with JS flow though). But we can 
> start the journey ;-)

What do you consider as the main blockers?

> Also, along with the simple request recording it allows, I see another 
> advantage in this simpler continuation numbering scheme: better 
> readability of produced pages. This will avoid these long hexadecimal 
> strings that look ugly in the address bar, and allow better 
> understanding of what's going on when developing applications (also 
> useful when training people).
> One could think of security problems such as continuation hijacking 
> because of the predictability of continuation IDs (as opposed to the 
> SecureRandom used today), but there's actually no problem since each 
> session has its own continuation counter. An attacker would first have 
> to hijack the session before accessing its continuations. And if the 
> session is hijacked, were already doomed anyway.
> So I will implement this new scheme and see how's life with simpler 
> URLs ;-)
No objection ;-)


View raw message