Hi all,
Quick question about using SSL... I am running PHP/MySQL/Apache, and
currently am just using session variables to log users in. Obviously I
would like to make this more secure, i.e. in conjunction with SSL, BUT I
remember hearing awhile back that using SSL drastically cuts down the
number of users a server can handle, and/or slows all accesses down, I
would assume because of the whole encryption/decryption process. Is
this true, and if so, does anyone know of any hard data as to how it
affects it, or maybe links to documentation?
I have Googled this for the past half hour or so and amazingly can find
nothing on the matter, so either I am searching all the wrong keywords
or this is not an issue. Thanks in advance.
Marcus
6  1539 
Marcus wrote: Hi all,
Quick question about using SSL... I am running PHP/MySQL/Apache, and
currently am just using session variables to log users in. Obviously I
would like to make this more secure, i.e. in conjunction with SSL, BUT I
remember hearing awhile back that using SSL drastically cuts down the
number of users a server can handle, and/or slows all accesses down, I
would assume because of the whole encryption/decryption process. Is
this true, and if so, does anyone know of any hard data as to how it
affects it, or maybe links to documentation?
I have Googled this for the past half hour or so and amazingly can find
nothing on the matter, so either I am searching all the wrong keywords
or this is not an issue. Thanks in advance.
Marcus
First of all which OS - as it can make a difference? Anytime you add
encryption, there is always a performance penalty. But even with that penalty,
most users won'teven notice it. Do you know what your anticipated workload
looks like, have you been able to benchmark the number of users hitting the
front page?
--
Michael Austin.
Consultant - Available.
Donations welcomed. Http://www.firstdbasource.com/donations.html
:)
Michael Austin wrote: First of all which OS - as it can make a difference? Anytime you add
encryption, there is always a performance penalty. But even with that
penalty, most users won'teven notice it. Do you know what your
anticipated workload looks like, have you been able to benchmark the
number of users hitting the front page?
Michael:
The OS is Linux. We have been running some benchmarking tests on the
localhost, but on a very small scale... the eventual workload will be
much higher. As the site is not finished and released, we have not
benchmarked the # of users hitting the front page.
The way our service will be setup, each one of our clients will get
their own account, to which THEIR end users will log in and interact
with. So while I cannot give hard numbers now, it will vary directly
with how many accounts we are serving. Planning for the long term :-)
let's say we have 1,000 clients, each of which logs into the system 100
times a day, and whose end users also log in 100 times a day... that's
200,000 log-ins per day total. Would using SSL on all of these
adversely affect it to a great degree? There are very minimal graphics
used - almost all of the transfer is between the user and the database.
Thanks a bunch!
In article <mZ*****************@newssvr15.news.prodigy.com> , Marcus wrote: Quick question about using SSL... I am running PHP/MySQL/Apache, and
currently am just using session variables to log users in. Obviously I
would like to make this more secure, i.e. in conjunction with SSL,
What do you want to make more secure?
The part where the user logs in, or also the data transmitted with each
page request?
Almost every *large* site i know uses https to handle the submitted
values when a user logs in. And after that uses http to show the pages.
--
Tim Van Wassenhove <http://home.mysth.be/~timvw>
Tim Van Wassenhove wrote: What do you want to make more secure?
The part where the user logs in, or also the data transmitted with each
page request?
Almost every *large* site i know uses https to handle the submitted
values when a user logs in. And after that uses http to show the pages.
Tim:
From my understanding, if someone simply listens over the network and
steals a session, he/she then has full access to that user's
information. Since I am using session var's to keep track of things,
would using https first and then http be vulnerable?
Marcus wrote: Tim Van Wassenhove wrote:
What do you want to make more secure? The part where the user logs in,
or also the data transmitted with each
page request?
Almost every *large* site i know uses https to handle the submitted
values when a user logs in. And after that uses http to show the pages.
Tim:
From my understanding, if someone simply listens over the network and
steals a session, he/she then has full access to that user's
information. Since I am using session var's to keep track of things,
would using https first and then http be vulnerable?
I'd guess it'd become vulnerable seeing as how the session would still
be in use.. I thought the secure mode during login was only used to
keep your password in cleartext safe from prying eyes..
"Marcus" <Ju********@aol.com> wrote in message
news:f%**********************@newssvr28.news.prodi gy.com... Tim Van Wassenhove wrote:
What do you want to make more secure?
The part where the user logs in, or also the data transmitted with each
page request?
Almost every *large* site i know uses https to handle the submitted
values when a user logs in. And after that uses http to show the pages.
Tim:
From my understanding, if someone simply listens over the network and
steals a session, he/she then has full access to that user's
information. Since I am using session var's to keep track of things,
would using https first and then http be vulnerable?
Here're some numbers I found on the web:
"In our tests of the two and four Xeon DP processors, we achieved 32 SSL
transaction/sec with two processors, and 54 SSL transaction/sec with four
processors. In the tests with two, four, six and eight Xeon MP processors,
we achieved SSL rates of 16, 35, 50 and 70 transactions per second,
respectively. The DP performance is slightly higher than the MP performance
because the DP processors run at 2.4GHz and the MP processors run at
1.6GHz."
Large commercial sites typically use hardware SSL accelerators to augment
the web server.
You're right about the session id yielding full access to the system. If you
store the session id in a secure cookie, then it wouldn't be sent when the
browser is communicating in HTTP. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: HarveyB |
last post by:
I would like to generate non-modal popup windows from
ASP.Net code-behind. I have tried using Client Side
scripting like "function Test(){
window.open('test.htm',_blank,...
|
by: Frodo |
last post by:
I have a problem establishing a link between Visual
Studio.NET 2003 and SQL Server 2000. Both are installed on
a Windows Server 2003, standard version.
Visual Studio.NET Issues...
|
by: Hazzard |
last post by:
I just realized that the code I inherited is using all asp.net server
controls (ie. webform controls) and when I try to update textboxes on the
client side, I lose the new value of the textbox when...
|
by: Ezra |
last post by:
Our company's web server is trying to access graphics files on another
server. When I run the app from Visual Studio (1.0) on my localhost,
the server in question is available (which is accessed a...
|
by: angus |
last post by:
Hi All,
i have an aspx form for the user to input, and those data will be stored
into the database.
I would like to build up the form dynamically by using the data in the a
database table,...
|
by: CGW |
last post by:
I asked the question yesterday, but know better how to ask it, today:
I'm trying to use the File.Copy method to copy a file from a client to
server (.Net web app under IIS ). It looks to me that...
|
by: Frank Millman |
last post by:
Hi all
I am developing a multi-user business/accounting application. It is
coming along nicely :-), though rather slowly :-(
I have hit an issue which will require a lot of changes to the code...
|
by: Chris Thompson |
last post by:
Hi All,
I have a private website created using HTML/PHP. Within this site, there is
a page that has a form (question.php), which is populated depending on the
question number that has been...
|
by: den 2005 |
last post by:
Hi everybody,
Question 1: How do you set the values from server-side to a client-side
control or how do you execute a javascript function without a button click
event?
Question 2: How do you...
|
by: Engineerik |
last post by:
I am trying to create a socket server which will listen for connections from
multiple clients and call subroutines in a Fortran DLL and pass the results
back to the client. The asynchronous socket...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
