Women in Technology

Hear us Roar



Article:
  The PHP Scalability Myth
Subject:   Hidden variables for session state?
Date:   2003-10-17 15:17:31
From:   anonymous2
Response to: Hidden variables for session state?

The problem with your position (IMHO) is I've already done the things you suggest...hundreds of thousands of lines of code....maintained by disparate developers on different continents, some of whom DO NOT speak the same language....using OO to provide classes, methods, etc.....blah, blah, blah....using both coding environments (Java and PHP).


The unplugging the cable thing is easily solved by using a DB to store one's session info and *NOT* a memory resident process to keep track of uniquely identified users. You see, in the world of system design simplest wins and most complex looses. Store info in EJBs in memory....sure, why not...of course if the WebLogic/JBoss/other Java engine hiccups or because of latency fails to replicate session(s) to peers....viola, lost sessions and pissed users. In the DB scenario the session persists happily and the user never knows if ONE OR MORE of the cluster members went down because there's NO NEED FOR SAID USER TO CARE. On the issue of WebLogic failing over without a hitch, not so fast. I've seen it fail to do just that MANY times from Ver 6.x through current releases.


On the "bad patters I suggest"....I wasn't suggesting anything. I was simply mentioning how one might reduce the complexity of their design by thinking in simple terms. Again, simple wins, complex looses. Item prices for goods and services should ALWAYS be know to the selling business unit that's selling said thing. If not, the Java vs. PHP thing is a non issue because said business won't be around for long.


As for your "Just because there are say, four known responses, it doesn't mean that any of the four are really appropriate for the current user."...you're right. However, if one follows a well designed set of business rules/business processes based on the technically engineered process at hand then the problems with erroneous data making it to the DB is MUCHO reduced (think good design here).


So you see, proper design + proper tool + simplest implementation/design = success. Do I think Java offers this? Sure, but only in a situation where something in Java is required (make sure it's required or it's only added complexity). Is PHP always the correct choice? No, but then again when one builds a house the saw is not always the correct tool.

Main Topics Oldest First

Showing messages 1 through 2 of 2.

  • Hidden variables for session state?
    2003-10-17 17:00:15  anonymous2 [View]

    Correct me if I'm wrong, but you seem to be suggesting a stateless presentation tier. Thus the session state must be moved either forward to the client (i.e., browser) or backward to the middle tier or (as you suggest) database. Let's consider each of these strategies:

    If you're putting the state in the browser as hidden variables, you *MUST* incorporate some mechanism to allow your app to detect whether it has been tampered with. Otherwise you are effectively giving a malicious user write access to their own session. Since the presentation tier is stateless, it has no intrinsic way to know whether the user has manipulated the session in order to, for instance, gain access to someone else's accounts. Encryption of the hidden variables would foil this kind of tampering, but at a cost in CPU cycles. Note that this encryption would have to be done *over and above* the normal https encryption because the two are serving different purposes: https protects the data from third parties, while hidden variable encryption protects the session from tampering by your own user.

    If you're putting the session state in the database, this solves the security problem and provides absolute protection of the session even if the whole server farm goes down. For situations where absolute session preservation is mandatory, this is a reasonable solution. The costs, however, are enormous, because potentially each request/response cycle results in an additional database write. Response time increases because the user has to sit waiting on an additional write, while throughput declines due to the increased traffic to and from the database.
  • Hidden variables for session state?
    2003-10-17 16:58:11  anonymous2 [View]

    Correct me if I'm wrong, but you seem to be suggesting a stateless presentation tier. Thus the session state must be moved either forward to the client (i.e., browser) or backward to the middle tier or (as you suggest) database. Let's consider each of these strategies:

    If you're putting the state in the browser as hidden variables, you *MUST* incorporate some mechanism to allow your app to detect whether it has been tampered with. Otherwise you are effectively giving a malicious user write access to their own session. Since the presentation tier is stateless, it has no intrinsic way to know whether the user has manipulated the session in order to, for instance, gain access to someone else's accounts. Encryption of the hidden variables would foil this kind of tampering, but at a cost in CPU cycles. Note that this encryption would have to be done *over and above* the normal https encryption because the two are serving different purposes: https protects the data from third parties, while hidden variable encryption protects the session from tampering by your own user.

    If you're putting the session state in the database, this solves the security problem and provides absolute protection of the session even if the whole server farm goes down. For situations where absolute session preservation is mandatory, this is a reasonable solution. The costs, however, are enormous, because potentially each request/response cycle results in an additional database write. Response time increases because the user has to sit waiting on an additional write, while throughput declines due to the increased traffic to and from the database.