sessions/cookies and sharing files between multiple servers

"Ben Holness" <us****@bens-house.org.ukwrote in message
news:pa****************************@bens-house.org.uk...

Also, I am not sure how autologin (based on cookies) and sessions will
work when distributing across multiple servers, as my understanding is
that these are on a per domain basis? (i.e. if someone goes to
node1.site.com and hits autologin, but next time gets node3, the cookie
wont be picked up?)

I looked up PHP's native session support, I'm not seeing a way that this
will do the trick for you.

When you create a session across multiple servers, you are concerned with:

a)Is the session identifier guaranteed unique (so that you can't
accidentally create two sessions on two servers with the same session
identifier).

b)How is the session identifier verified as valid by the server. Two
possibilities, not mutually exclusive:

b1)Hashing scheme--hash part of identifer must match other context.

b2)Server state--server remembers which sessions it has issued.

c)Can a user "forge" a session identifier? What will the consequences be?

d)If a user "sniffs" a session identifier or gets it from a URL or some
other means, can it be reused, perhaps concurrently from another machine
used for an attack. (One helpful discouragement: server remembers which IP
a session belongs to.)

If I'm understanding your problem correctly, (b2) implies that the servers
must communicate somehow, whereas (b1) does not.

Easiest solution is probably to assign session identifiers so that session
identifiers are something like.

$small_random_number . MD5(SECRET_STRING . $connecting_ip .
$small_random_number)

where you distribute the same "SECRET_STRING" to all the servers.

Each server can authenticate a session identifier issued by another server,
with no communication required between the servers.

But if you require the sessions to hold server-side state that all the
servers know about, and if you require a person to be able to log out ...
you need some communication between the servers.

It is possible to roll your own session handling. I'm working on a database
right now:

http://fboprimedevel.e3ft.com

The session code is here:

http://fboprime.e3ft.com/vcvsgpl01/v...viewcvs-markup

http://fboprime.e3ft.com/vcvsgpl01/v...viewcvs-markup

You can roll your own ... it works just fine to do that.

But you need to settle (a) through (d) above. (b2) will require
communication between the servers.

Post back if anything unclear.

Dave.

>I have a php/mysql website where people can upload their own graphics for

>the buttons and background of pages on the website.

This used to run on one server, but I have now been asked to set it up on
multiple servers.

Why? The reason matters. If it's a matter of more horsepower with lots
of little machines rather than one huge one, that's one thing. If it's
redundancy for extreme reliability, that's another.

>The problem is that when someone uploads a file, how do I distribute it to
all of the servers? Should I use php to send it to all of the servers once
it has been uploaded, or is there a better way of synchronizing the files
between all of the servers?

NFS shared filesystem? Or you divide the files between the systems?

>Also, I am not sure how autologin (based on cookies) and sessions will
work when distributing across multiple servers, as my understanding is
that these are on a per domain basis? (i.e. if someone goes to
node1.site.com and hits autologin, but next time gets node3, the cookie
wont be picked up?)

If you're using a round-robin DNS scheme or something fancier with
routers and switches for load-balancing, the browser won't know the
difference between node1.site.com and node3.site.com, because it
thinks they're all node.site.com, and you won't have an issue with
domains. Otherwise, use domain cookies rather than individual host
cookies for the session cookie.

It is possible to use a session save handler to put session data
in a MySQL (or other) database rather than a bunch of little files.
If you share this database between webservers, one login can work
across several machines. Also, putting the session data in a
database makes it much easier to expire old data.

Why? The reason matters. If it's a matter of more horsepower with lots
of little machines rather than one huge one, that's one thing. If it's
redundancy for extreme reliability, that's another.

Mainly horsepower, but it does also provide some redundancy, which is nice

NFS shared filesystem? Or you divide the files between the systems?

That's probably the solution that I will use, a couple of people have
suggested it. I was also thinking about unison or rysnc, but I think NFS
will suit better :)

Thanks for the comments. I am thinking that to make the session stuff
easier, I might just keep the user on one server once they have logged in,
but have PHP dynamically choose a node to load an image and run DB queries
from...

Cheers,

Ben