Session Management and Mega-Proxies?

← Back to Stories (view on slashdot.org)

Session Management and Mega-Proxies?

Posted by Cliff on Saturday December 22, 2001 @11:55AM from the complex-networking-issues dept.

chicagothad asks: "I help to run large internet systems for a few Fortune 500 companies. We are running several clustered systems, comprised of both Microsoft and Linux technologies. We have run into several problems with what is known as a 'mega-proxy'. A mega proxy is a way that large internet providers distribute their outbound traffic via a pool of IPs. AOL/Compuserve is the largest example of this. We are having fits with session management right now. Does anyone have any ideas on the best system structure or design to manage these beasts or any other tips that may be helpful?"

5 of 23 comments (clear)

Min score:

Reason:

Sort:

there are a few ways to do this by Phork · 2001-12-22 13:48 · Score: 2, Insightful

using a client IP as a session key is a horrible way to do session managment, very bad idea. generate a random(but unique) key to use, try to set it as a cookie, if that fails, append it to the url. if that fails, you have a few options, have a failsafe version of the site that works without session managment, or you can present the user an error message, or you can fall back to using the ip, the most common choice seems to be to present an error message saying something to the ffect of "for this site to work properly you must enable cookies in your web browser. this can be done by doing xyz in your browser.
Most web app enviroments provide this functionality either built in, or through a library, php and perl both do, and im fairly sure IIS/asp does.
this is one of those problems that has been solved a thousand times before, and chances are, someone else has done a better job of solving it than you will on your first try.

--
-- free as in swatantryam - not soujanyam.
1. Re:there are a few ways to do this by Wolfkin · 2001-12-22 14:46 · Score: 2, Insightful
  
  [...]if that fails, append it to the url. if that fails, you have a few options[...]
  
  How, exactly, could appending it to the URL fail? I use this method in everything I do that requires session ids (since it avoids the extra code for cookie checking, and you can hide the ugly session URL behind frames), and haven't ever had it fail. I'm not sure how that would even be possible.
  
  --
  Property law should use #'EQ, not #'EQUAL.
Re:URLs by SuiteSisterMary · 2001-12-23 02:16 · Score: 3, Insightful

Still need to make abso-ma-loutely sure that session keys'll never ever be recycled. Also, make sure you don't store session keys, dates, stuff like that 'raw.' Either you or your server software should do fun things like hash them, so you can tell accidental or purposeful tampering.

--
Vintage computer games and RPG books available. Email me if you're interested.
How'd you get the job? by The+AtomicPunk · 2001-12-23 04:16 · Score: 2, Insightful

Without knowing something so basic to web site operation?
I hate the nature of this AskSlashdot item by billcopc · 2001-12-23 12:05 · Score: 2, Insightful

Why should we (the intelligent users) tell you (the overpaid 'consultant') how to put together a good session-based system ? The information is readily available on the web for anyone to read, and it's not even that hard to find, assuming you know how to use a search engine such as Google. The solution is a hybrid of simple techniques which make up for each others' weaknesses. Just use that Fortune-500 brain you've been neglecting all these years.

--
-Billco, Fnarg.com