sessions/cookies and sharing files between multiple servers

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I have a php/mysql website where people can upload their own graphics for
the buttons and background of pages on the website.

This used to run on one server, but I have now been asked to set it up on
multiple servers.

The problem is that when someone uploads a file, how do I distribute it to
all of the servers? Should I use php to send it to all of the servers once
it has been uploaded, or is there a better way of synchronizing the files
between all of the servers?

Also, I am not sure how autologin (based on cookies) and sessions will
work when distributing across multiple servers, as my understanding is
that these are on a per domain basis? (i.e. if someone goes to and hits autologin, but next time gets node3, the cookie
wont be picked up?)

Any pointers appreciated!



Re: sessions/cookies and sharing files between multiple servers

Quoted text here. Click to load it

I looked up PHP's native session support, I'm not seeing a way that this  
will do the trick for you.

When you create a session across multiple servers, you are concerned with:

a)Is the session identifier guaranteed unique (so that you can't  
accidentally create two sessions on two servers with the same session  

b)How is the session identifier verified as valid by the server.  Two  
possibilities, not mutually exclusive:

b1)Hashing scheme--hash part of identifer must match other context.

b2)Server state--server remembers which sessions it has issued.

c)Can a user "forge" a session identifier?  What will the consequences be?

d)If a user "sniffs" a session identifier or gets it from a URL or some  
other means, can it be reused, perhaps concurrently from another machine  
used for an attack.  (One helpful discouragement:  server remembers which IP  
a session belongs to.)

If I'm understanding your problem correctly, (b2) implies that the servers  
must communicate somehow, whereas (b1) does not.

Easiest solution is probably to assign session identifiers so that session  
identifiers are something like.

$small_random_number . MD5(SECRET_STRING . $connecting_ip .  

where you distribute the same "SECRET_STRING" to all the servers.

Each server can authenticate a session identifier issued by another server,  
with no communication required between the servers.

But if you require the sessions to hold server-side state that all the  
servers know about, and if you require a person to be able to log out ...  
you need some communication between the servers.

It is possible to roll your own session handling.  I'm working on a database  
right now:

The session code is here:

You can roll your own ... it works just fine to do that.

But you need to settle (a) through (d) above.  (b2) will require  
communication between the servers.

Post back if anything unclear.


Re: sessions/cookies and sharing files between multiple servers

Quoted text here. Click to load it

Why?  The reason matters.  If it's a matter of more horsepower with lots
of little machines rather than one huge one, that's one thing.  If it's
redundancy for extreme reliability, that's another.

Quoted text here. Click to load it

NFS shared filesystem?  Or you divide the files between the systems?

Quoted text here. Click to load it

If you're using a round-robin DNS scheme or something fancier with
routers and switches for load-balancing, the browser won't know the
difference between and, because it
thinks they're all, and you won't have an issue with
domains.  Otherwise, use domain cookies rather than individual host
cookies for the session cookie.

It is possible to use a session save handler to put session data
in a MySQL (or other) database rather than a bunch of little files.
If you share this database between webservers, one login can work
across several machines.  Also, putting the session data in a
database makes it much easier to expire old data.

Re: sessions/cookies and sharing files between multiple servers

Quoted text here. Click to load it

Mainly horsepower, but it does also provide some redundancy, which is nice

Quoted text here. Click to load it

That's probably the solution that I will use, a couple of people have
suggested it. I was also thinking about unison or rysnc, but I think NFS
will suit better :)
Thanks for the comments. I am thinking that to make the session stuff
easier, I might just keep the user on one server once they have logged in,
but have PHP dynamically choose a node to load an image and run DB queries



Site Timeline