Thursday, July 28, 2005

MySQL, PHP sessions and multiple machines

Following on from our previous experiments, we realised that the problem with running a web-based service (such as the Horde webmail client) across multiple servers is maintaining session information between the machines.

PHP's default session handling functions make use of flat files stored on a local disk. PHP, however, provides a way to over-ride this with user-defined functions. In other words it's possible to plug your own session handling routines into PHP's session handler.

David suggested that MySQL replication might be a good way to do this. We're already using MySQL replication extensively at Rhodes, so it seemed like a good way to go.

Looking around the web, I expected to quickly find a library to do this. It didn't after all seem that unusual an approach to the problem. Sure enough I found several different libraries, but they all failed the same basic condition. They failed to adequately escape their input.

This bugged me a bit, so I decided to write my own library that was careful to ensure that it didn't trust any user input. Knowing that I was likely to have to debug my own code, I also decided to include extensive error logging into the library using PHP's error_log() function. I'd never used this function before — it allows me to write a message to the server's error log without displaying it to the user.

As always, the code for this is available in the hopes that it is useful to someone else.

Armed with a new library, we proceeded to extend our test environment to include a PHP web page that made use of PHP sessions to increment a counter. Each of the three web servers had a copy of this page, and each one made use of my new MySQL session library to store sessions in a common, shared database.

A web browser visiting https://test.ru.ac.za/ showed that, in spite of changing the IP address we connected to, the session data remained. This is good for things like IMP running on a cluster of machines.

The actual results were interesting. We did experiments with both Internet Explorer and Firefox and discovered that the behaved slightly differently. Both establish an SSL/TLS session when you first visit the https:// URL. They maintain this open connection after the page has finished loading and re-use it for subsequent hits on the same site. This is good news for sessions. It means that for a single render of a web page (typically consisting of multiple requests), it is likely that you'll always talk to the same machine in the cluster. Both browsers eventually time out these connections, the difference is how long they're prepared to keep them open. Our experiments showed that Firefox kept its connection open for about thirty second; Internet Explorer on the other hand keeps its seems connection open for much longer.

posted by guy at: 08:56 SAST | path: /systems | permanent link

June 2010 (1)
August 2008 (1)
July 2008 (1)
May 2008 (2)
October 2007 (2)
September 2007 (1)
April 2007 (2)
November 2006 (1)
October 2006 (2)
September 2006 (3)
July 2006 (1)
June 2006 (1)
March 2006 (2)
December 2005 (1)
November 2005 (1)
October 2005 (3)
September 2005 (1)
August 2005 (3)
July 2005 (4)
June 2005 (1)
May 2005 (6)
April 2005 (4)
March 2005 (5)
February 2005 (2)
January 2005 (4)
November 2004 (5)
October 2004 (3)
September 2004 (10)
August 2004 (5)
July 2004 (12)
June 2004 (6)
February 2004 (7)
January 2004 (16)