Difference between revisions for Users / Eo Ny
|
← Previous edit
|
Next edit →
|
| Version1 | Version2 | ||
|---|---|---|---|
| 1713 | 1713 | ||
| 1714 | === Performance Considerations === | 1714 | === Performance Considerations === |
| 1715 | 1715 | ||
| 1716 |
==== |
1716 | ====Optimization Tips==== |
| 1717 | 1. **Minimize Session Writes:** | 1717 | 1. **Minimize Session Writes:** |
| 1718 |
|
1718 | - Session data only written during ##write_close()## or regeneration |
| 1719 |
|
1719 | - No unnecessary serialization during reads |
| 1720 | 2. **Garbage Collection:** | 1720 | 2. **Garbage Collection:** |
| 1721 |
|
1721 | - Probabilistic GC (based on ##cf_gc_probability##) |
| 1722 |
|
1722 | - Only runs on ~2% of requests by default |
| 1723 |
|
1723 | - Customize based on your session volume |
| 1724 | 3. **Nonce Cleanup:** | 1724 | 3. **Nonce Cleanup:** |
| 1725 |
|
1725 | - Expired nonces automatically removed on verification |
| 1726 |
|
1726 | - Verified nonces removed from storage |
| 1727 |
|
1727 | - No manual cleanup needed |
| 1728 | 4. **Session ID Validation:** | 1728 | 4. **Session ID Validation:** |
| 1729 |
|
1729 | - Regex-based validation is fast |
| 1730 |
|
1730 | - No database lookup needed |
| 1731 | 5. **Caching Strategy:** | 1731 | 5. **Caching Strategy:** |
| 1732 |
|
1732 | - Cache expensive lookups between session operations |
| 1733 |
|
1733 | - Session data loaded once per request |
| 1734 | 1734 | ||
| 1735 | ==== Benchmarks ==== | 1735 | ==== Benchmarks ==== |
| 1736 | 1736 | ||
| … | … | … | … |
| 1807 | 1807 | ||
| 1808 | ---- | 1808 | ---- |
| 1809 | 1809 | ||
| 1810 | === TODO Items (From Code Comments) === | 1810 | ===TODO Items (From Code Comments)=== |
| 1811 | |||
| 1812 | The following improvements are planned: | 1811 | The following improvements are planned: |
| 1813 | 1. **Do not store session ID in filename or DB index - store hash instead** | 1812 | 1. **Do not store session ID in filename or DB index - store hash instead** |
| 1814 |
|
1813 | - Improves security by not exposing IDs in storage layer |
| 1815 |
|
1814 | - Would require hashing logic in store_* methods |
| 1816 | 2. **Log of IP changes and other possible security alerts** | 1815 | 2. **Log of IP changes and other possible security alerts** |
| 1817 |
|
1816 | - Track ##sticky__ip## changes more comprehensively |
| 1818 |
|
1817 | - Create security audit trail |
| 1819 | 3. **Allocate internal unique session which lives through lifetime of uber-session** | 1818 | 3. **Allocate internal unique session which lives through lifetime of uber-session** |
| 1820 |
|
1819 | - Multi-session management (parent/child sessions) |
| 1821 |
|
1820 | - Useful for complex user flows |
| 1822 | 4. **Do not delete old sessions, but use them as hijack pointers** | 1821 | 4. **Do not delete old sessions, but use them as hijack pointers** |
| 1823 |
|
1822 | - Maintain session history for analysis |
| 1824 |
|
1823 | - Detect potential session hijacking patterns |
| 1825 |
|
1824 | - Implement session relationship tracking |
| 1826 | 5. **All SIDs used later than ~5secs of regenerations is hijacks** | 1825 | 5. **All SIDs used later than ~5secs of regenerations is hijacks** |
| 1827 |
|
1826 | - Detect and block delayed session ID usage |
| 1828 |
|
1827 | - Current implementation allows 5-second window |
| 1829 |
|
1828 | - Could be more granular |
| 1830 | 1829 | ||
| 1831 | ---- | 1830 | ---- |
| 1832 | 1831 | ||