Return-Path: Delivered-To: apmail-perl-modperl-archive@www.apache.org Received: (qmail 34529 invoked from network); 18 Sep 2009 15:53:30 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Sep 2009 15:53:30 -0000 Received: (qmail 51141 invoked by uid 500); 18 Sep 2009 15:53:28 -0000 Delivered-To: apmail-perl-modperl-archive@perl.apache.org Received: (qmail 51096 invoked by uid 500); 18 Sep 2009 15:53:28 -0000 Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list modperl@perl.apache.org Received: (qmail 51088 invoked by uid 99); 18 Sep 2009 15:53:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Sep 2009 15:53:28 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [208.20.225.104] (HELO gfn.org) (208.20.225.104) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Sep 2009 15:53:20 +0000 X-Delivered-To: modperl@perl.apache.org Received: from gfn.org (gfn [127.0.0.1]) by gfn.org (8.12.8/8.12.8) with ESMTP id n8IFqv7G006700 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 18 Sep 2009 11:52:57 -0400 Received: (from swgsh@localhost) by gfn.org (8.12.8/8.12.9/Submit) id n8IFqv6j006696; Fri, 18 Sep 2009 11:52:57 -0400 X-Authentication-Warning: gfn.org: swgsh set sender to sgifford@suspectclass.com using -f To: bvs7085@gmail.com Cc: Michael Peters , Mod_Perl Subject: Re: Ways to scale a mod_perl site References: <4AB10CB8.7010202@plusthree.com> <4AB10EA2.70108@gmail.com> From: Scott Gifford Date: Fri, 18 Sep 2009 11:52:57 -0400 In-Reply-To: <4AB10EA2.70108@gmail.com> (Brad Van Sickle's message of "Wed, 16 Sep 2009 12:13:22 -0400") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Virus-Checked: Checked by ClamAV on apache.org Brad Van Sickle writes: >> >>> 3) Being enabled by item 2, add more webservers and balancers >>> 4) Create a separate database for cookie data (Apache::Session objects) >>> ??? -- not sure if good idea -- >> >> I've never seen the need to do that. In fact, I would suggest you >> drop sessions altogether if you can. If you need any per-session >> information then put it in a cookie. If you need this information to >> be tamper-proof then you can create a hash of the cookie's data that >> you store as part of the cookie. If you can reduce the # of times >> that each request needs to actually hit the database you'll have big >> wins. >> >> > > Can I get you to explain this a little more? I don't see how this > could be used for truly secure sites because I don't quite understand > how storing a hash in a plain text cookie would be secure. The general idea is that you store a cryptographic hash of the cookie information plus a secret only your app knows. Using | to show string contatenation, your cookie would be: YourCookieFields|HASH(YourCookieFields|YourSecret) An attacker can't create the right hash because they don't know your secret, and they can't change any fields in the cookie because the hash would become invalid. -----Scott.