[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

zxid and shared/distributed filesystems?

Hello all,
    I have a few questions about zxid's session management.  Currently, I'm
interested in a redundant SP implementation using an existing load-balanced
web server infrastructure.  Since zxid is solely filesystem based at this
time, I'm considering a few options for central session storage:

1. Use a single SP server and proxy SSO requests to this server.
2. Use a NFS mount for /var/zxid/ses (and likely /var/zxid/log/rely).
3. Use a virtual filesystem for /var/zxid/ses
(and likely /var/zxid/log/rely), such as memcachefs or mysqlfs.

Given how zxid currently manages sessions via pseudorandom numbers, would it
be safe to run concurrently across multiple webservers on a centralized
filesystem?  It seems most SP/IdP implementations use a single-server (with
optional failover-server) concept, but my target environment is generally
better suited for distributed web services and already has infrastructure in
place for options 2 or 3.

My priorites are: 1. security; 2. fault tolerance.  Thus, if a centralized
filesystem could compromise user security in any way (e.g. session directory
shared due to pseudorandom collisions), a single SP server would likely be
the better option.

Note: I see that I can compile ZXID_ID_BITS with a fairly high value (i.e.
144), so the chance of a pseudorandom collision should be extremely
improbable in a real-world context.