Posted by David T. Ashley on 11/03/06 16:47

"Ben Holness" <usenet@bens-house.org.uk> wrote in message
news:pan.2006.11.03.10.09.57.387831@bens-house.org.uk...
> Also, I am not sure how autologin (based on cookies) and sessions will
> work when distributing across multiple servers, as my understanding is
> that these are on a per domain basis? (i.e. if someone goes to
> node1.site.com and hits autologin, but next time gets node3, the cookie
> wont be picked up?)

I looked up PHP's native session support, I'm not seeing a way that this
will do the trick for you.

When you create a session across multiple servers, you are concerned with:

a)Is the session identifier guaranteed unique (so that you can't
accidentally create two sessions on two servers with the same session
identifier).

b)How is the session identifier verified as valid by the server. Two
possibilities, not mutually exclusive:

b1)Hashing scheme--hash part of identifer must match other context.

b2)Server state--server remembers which sessions it has issued.

c)Can a user "forge" a session identifier? What will the consequences be?

d)If a user "sniffs" a session identifier or gets it from a URL or some
other means, can it be reused, perhaps concurrently from another machine
used for an attack. (One helpful discouragement: server remembers which IP
a session belongs to.)

If I'm understanding your problem correctly, (b2) implies that the servers
must communicate somehow, whereas (b1) does not.

Easiest solution is probably to assign session identifiers so that session
identifiers are something like.

$small_random_number . MD5(SECRET_STRING . $connecting_ip .
$small_random_number)

where you distribute the same "SECRET_STRING" to all the servers.

Each server can authenticate a session identifier issued by another server,
with no communication required between the servers.

But if you require the sessions to hold server-side state that all the
servers know about, and if you require a person to be able to log out ...
you need some communication between the servers.

It is possible to roll your own session handling. I'm working on a database
right now:

http://fboprimedevel.e3ft.com

The session code is here:

http://fboprime.e3ft.com/vcvsgpl01/viewcvs.cgi/gpl01/webprojs/fboprime/sw/phplib/sess.inc?rev=1.23&content-type=text/vnd.viewcvs-markup

http://fboprime.e3ft.com/vcvsgpl01/viewcvs.cgi/gpl01/webprojs/fboprime/sw/phplib/sessx.inc?rev=1.2&content-type=text/vnd.viewcvs-markup

You can roll your own ... it works just fine to do that.

But you need to settle (a) through (d) above. (b2) will require
communication between the servers.

Post back if anything unclear.

Dave.

[Back to original message]