Has anyone here implemented sessions in a load balanced environment using
database storage as a custom session handler? I'd be interested to hear
about your experiences. Upsides, downsides, bugs, troubles, security, etc.
Thanks,
Balazs
8  2292 
Balazs Wellisch wrote: Has anyone here implemented sessions in a load balanced environment using
database storage as a custom session handler? I'd be interested to hear
about your experiences. Upsides, downsides, bugs, troubles, security, etc.
Thanks,
Balazs
Hi,
Yes, I did, but not with loadbalancing.
The loadbalancingpa rt is however irrelevant if you use a database for
sessionstorage, since every session will contact the same database that
stores the sessions.
(If you plan to use more databases for sessionstorage, I give up. :P)
A good place to start is at ZEND: http://www.zend.com/zend/spotlight/c...lery-wade8.php
That page contains a good example, but without sessionlocking.
I wrote my own that does implement sessionlocking. It is not tested 100%,
but seems to work great so far. If you are interested I'll publish it on
the net, but just start with zend. :-)
Regards,
Erwin Moller The loadbalancingpa rt is however irrelevant if you use a database for
sessionstorage, since every session will contact the same database that
stores the sessions.
(If you plan to use more databases for sessionstorage, I give up. :P)
Yeah, the obvious solution is to store all the session information in a
single database. But that would limit the failover capability of the system.
I was thinking about setting up each box with its own copy of the database
and replicate the data between each one. However, I don't think this is a
feasible solution since session info changes all the time and I can't have
the dbs continuously replicate themselves all the time. I suppose I could
use sticky sessions, but I was wondering if there was a better solution out
there.
A good place to start is at ZEND:
http://www.zend.com/zend/spotlight/c...lery-wade8.php
Yes, I looked at Zend and I'm considering investing in their technology.
That page contains a good example, but without sessionlocking.
I wrote my own that does implement sessionlocking. It is not tested 100%,
but seems to work great so far. If you are interested I'll publish it on
the net, but just start with zend. :-)
I'm definitly interested and I'm sure others would benefit from your work as
well. Please let us know if you do decide to publish it!
Thanks,
Balazs
Balazs Wellisch wrote: The loadbalancingpa rt is however irrelevant if you use a database for
sessionstorage, since every session will contact the same database that
stores the sessions.
(If you plan to use more databases for sessionstorage, I give up. :P)
Yeah, the obvious solution is to store all the session information in a
single database. But that would limit the failover capability of the system.
I was thinking about setting up each box with its own copy of the database
and replicate the data between each one. However, I don't think this is a
feasible solution since session info changes all the time and I can't have
the dbs continuously replicate themselves all the time. I suppose I could
use sticky sessions, but I was wondering if there was a better solution out
there.
There are a number of database technologies that will allow you to set
up replication even in high transaction environments. Oracle's RAS for
example.
Another option is to model the sessions through a persistence object
that uses a database as a backing model. . (Think queries answered from
the persistence object, writes go all the way through to the database,
missing queries are answered from database)
-david- There are a number of database technologies that will allow you to set
up replication even in high transaction environments. Oracle's RAS for
example.
Sorry, I guess I should've mentioned we have to use MySQL.
Another option is to model the sessions through a persistence object that
uses a database as a backing model. . (Think queries answered from the
persistence object, writes go all the way through to the database, missing
queries are answered from database)
That's a promissing idea. But I still don't see how that will help when a
session jumps from one server to another. Some mechanisim must ensure that
the entire session, along with whatever variables that session contains, is
current on each server. So, if a session gets created on server A and then
it jumps to server B it would have to already exist there. Otherwise the
user could have their session reset a number of times during their visit.
Replication is the only tool I know of that can accomplish this. Any
thoughts?
Balazs
Following on from Balazs Wellisch's message. . . Yeah, the obvious solution is to store all the session information in a
single database. But that would limit the failover capability of the system.
I was thinking about setting up each box with its own copy of the database
and replicate the data between each one. However, I don't think this is a
feasible solution since session info changes all the time and I can't have
the dbs continuously replicate themselves all the time. I suppose I could
use sticky sessions, but I was wondering if there was a better solution out
there.
[The first time I've ever considered this issue so don't take it as
tried-n-tested]
Surely /each box/ doesn't need /its own/ database. If the objective is
to allow some failure to be brushed-off then two databases with
replication should do the trick when you need both DBs to be u/s before
the system fails. Also you would operate normally on a single DB with
the other in standby - as you'd be operating presumably with your main
DB.
Q: What happens if I log into your site twice from my Tabbed browser.
Might I operate as the same session but hitting different servers?[1]
If so what exploit could I use to load a trolley on both screens, buy on
one and decide not to buy on the other and have the cancel overwrite the
buy but not before the goods were authorised for dispatch. [Not a 'you
mustn't do it!, but a GLB-ism]
[1] Even if by hacking the browser (but more likely by cutting and
pasting ?SID=123456 from one tab to the other) - could be worth a lot of
money.
--
PETER FOX Not the same since the icecream business was liquidated pe******@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>
Balazs Wellisch wrote: There are a number of database technologies that will allow you to set
up replication even in high transaction environments. Oracle's RAS for
example.
Sorry, I guess I should've mentioned we have to use MySQL.
Oracle RAS was an example. There may be an equivalent for MySQL.
(probably a commercial product...) Another option is to model the sessions through a persistence object that
uses a database as a backing model. . (Think queries answered from the
persistence object, writes go all the way through to the database, missing
queries are answered from database)
That's a promissing idea. But I still don't see how that will help when a
session jumps from one server to another. Some mechanisim must ensure that
the entire session, along with whatever variables that session contains, is
current on each server. So, if a session gets created on server A and then
it jumps to server B it would have to already exist there. Otherwise the
user could have their session reset a number of times during their visit.
Replication is the only tool I know of that can accomplish this. Any
thoughts?
Balazs
Let me break it down.
1. There is one database which is replicated across two instances each
on its own server (i.e. fault tolerance for database and database
servers) The database access object has one access method which
understands which database is primary and which is secondary or the
database handles this for you. Some schemes will also alternate queries
between the two instances.
2. Each web service is on its own server and instantiates a persistence
object which talks to the database.
3. As a user session progresses, each new session value is stored in the
local persistence object (i.e. the one on the server that the browser is
currently talking to) *and* the value is also written through to the
database. This used to be called 'write-through caching'.
4. If the user requests session information which is already in the
persistence object, it is simply handed back.
5. If the user requests session information which is not already in the
persistence object, the database is queried for the [session:tag:val ue]
which is then stored in the local persistence object.
6. The only place this gets tricky is if you need what used to be known
as an 'atomic cache invalidate' (i.e. you want to guarantee the value of
a session variable across all persistence objects or, in other words,
force all persistence objects to refresh their local copies of the
session data from the database). If you need this, you will have to work
out some sort of intra-persistence object protocol (via the database
most likely but the network also works) to indicate that a
[session:tag:val ue] tuple should be refreshed from the database even
though it is in the local persistence store.
Clearer?
-david-
> Oracle RAS was an example. There may be an equivalent for MySQL. (probably a commercial product...)
Yes, I guess my next step is to find out what MySQL has to offer in this
regrad.
1. There is one database which is replicated across two instances each on
its own server (i.e. fault tolerance for database and database servers)
The database access object has one access method which understands which
database is primary and which is secondary or the database handles this
for you. Some schemes will also alternate queries between the two
instances.
2. Each web service is on its own server and instantiates a persistence
object which talks to the database.
3. As a user session progresses, each new session value is stored in the
local persistence object (i.e. the one on the server that the browser is
currently talking to) *and* the value is also written through to the
database. This used to be called 'write-through caching'.
4. If the user requests session information which is already in the
persistence object, it is simply handed back.
5. If the user requests session information which is not already in the
persistence object, the database is queried for the [session:tag:val ue]
which is then stored in the local persistence object.
6. The only place this gets tricky is if you need what used to be known as
an 'atomic cache invalidate' (i.e. you want to guarantee the value of a
session variable across all persistence objects or, in other words, force
all persistence objects to refresh their local copies of the session data
from the database). If you need this, you will have to work out some sort
of intra-persistence object protocol (via the database most likely but the
network also works) to indicate that a [session:tag:val ue] tuple should be
refreshed from the database even though it is in the local persistence
store.
Clearer?
-david-
I'm with you. Thank you for the advice!
Balazs
> Surely /each box/ doesn't need /its own/ database. If the objective is to allow some failure to be brushed-off then two databases with replication
should do the trick when you need both DBs to be u/s before the system
fails. Also you would operate normally on a single DB with the other in
standby - as you'd be operating presumably with your main DB.
That is an option. However, I was thinking that from a maintenance
standpoint it would be easier to clone a system completely. That way I would
have a bunch of inexpensive, hot pluggable machines. This would give me
infinite scalability for a small initial investment and minimal
configuration to deal with as the number of systems increases. The database
is not going to be huge. Otherwise, you're right, it would probably make
more sense to go with your suggested setup of two separate databases.
Q: What happens if I log into your site twice from my Tabbed browser.
Might I operate as the same session but hitting different servers?[1] If
so what exploit could I use to load a trolley on both screens, buy on one
and decide not to buy on the other and have the cancel overwrite the buy
but not before the goods were authorised for dispatch. [Not a 'you mustn't
do it!, but a GLB-ism]
[1] Even if by hacking the browser (but more likely by cutting and pasting
?SID=123456 from one tab to the other) - could be worth a lot of money.
This is more of an issue of security that I would have to deal with no
matter what. I think with URL based session ids turned off, session finger
prints and other security measures this problem can be eliminated.
Thanks for your advice.
Balazs This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Mark H |
last post by:
Hey all--
I'm building a database and I basically need to keep out people who
aren't authorized, but it's not like I need top security here. I'm just
doing basic user/pass of a SQL database, and when a user authenticates
I start a session for him.
My question is, is there any way for a hacker to easily start a session
without having logged in? For instance, if I save the user name and IP
address in the session will it be relatively...
|
by: Ken Trock |
last post by:
Hi. Users in our load-balanced environment get to our home page via web.vzcorp.com where a persistent cookie gets set. bedineta is 1 of the machines in this setup. You can unofficially get to our home page that way too. Question I have is if the user comes in thru bedineta how can I get their machine to recognize the cookie I set when they came thru web.vzcorp.com? They come thru the same block of asp. I've played around with the cookies.Domain...
|
by: DeeAnn |
last post by:
We've encountered a "flaky" situation with a Session variable holding
a data set on load balanced servers; server session with cookies is
set up.
Background:
Session variable holds a dataset.
Dataset is retrieved and updated periodically. Eventually the dataset
is sent to a web service for processing.
|
by: Anthony Williams |
last post by:
Hi gang,
This one looks like a bug :o(
As you may or may not know, setting session management in web.config to use
cookieless sessions causes the ASP.NET runtime to munge a session ID into
the URL, in the format http://yourapplicationpath/(Session.SessionID)/...
which saves numerous headaches when it comes to storing state across page
requests and sessions.
|
by: Shikari Shambu |
last post by:
Hi,
I have a ASP.NEt web application with forms authentication deployed on
single server. I do not use Session State, just the HttpContext and so on.
Now, we want to move to a load balanced environment. What are the things
that I need to worry about/ change to enable seamlessly move a logged in
user across servers?
TIA
| | |
by: Evan Nelson |
last post by:
We are running our website on 3 W2K servers using classic ASP and IIS 5.0.
Because the servers are load balanced we don't use the ASP Session object
instead we store session type information to the database. Since we don't
use them, we do not enable Sessions in IIS
We recently purchased a 3rd party application that stores some security
information into the Session object. Since the the package is storing and
retrieving from the session...
|
by: =?Utf-8?B?Q2hyaXM=?= |
last post by:
My employer has need to setup a Load Balanced Web Farm for some mission
critical ASP.NET Web Services and I was wondering if the only way to
accomplish this was to purchase Microsoft's ISA Server 2006 since that's the
only reference I have found on Microsoft's site in regards to this
requirement.
Thanks,
Chris
|
by: Bookham Measures |
last post by:
Hello
We are planning to set-up a load balanced web environment. Accordingly, we
are going to change the session management on our website from the classic
ASP Session State and session variables, to a database method.
Does any one have any pointers as to how I might approach this, so that I
can have the same sort of functionality the ASP sessions give without having
to create database columns for each session variable I wish to...
|
by: BA |
last post by:
Hi Everyone,
I have an application that sits behind a server farm, the application needs
to pass its NLB IP address in the message that it sends to another service.
From C# code, how can I determine the IP address of the network load
balanced machine that the message is generated from?
So, in essence, I have server1, server2 and server3 sitting behind the NLB
IP address 100.1.2.100, then I have server4 and server5 sitting behind NLB...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
