[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
zxid and shared/distributed filesystems?
I have a few questions about zxid's session management. Currently, I'm
interested in a redundant SP implementation using an existing load-balanced
web server infrastructure. Since zxid is solely filesystem based at this
time, I'm considering a few options for central session storage:
1. Use a single SP server and proxy SSO requests to this server.
2. Use a NFS mount for /var/zxid/ses (and likely /var/zxid/log/rely).
3. Use a virtual filesystem for /var/zxid/ses
(and likely /var/zxid/log/rely), such as memcachefs or mysqlfs.
Given how zxid currently manages sessions via pseudorandom numbers, would it
be safe to run concurrently across multiple webservers on a centralized
filesystem? It seems most SP/IdP implementations use a single-server (with
optional failover-server) concept, but my target environment is generally
better suited for distributed web services and already has infrastructure in
place for options 2 or 3.
My priorites are: 1. security; 2. fault tolerance. Thus, if a centralized
filesystem could compromise user security in any way (e.g. session directory
shared due to pseudorandom collisions), a single SP server would likely be
the better option.
Note: I see that I can compile ZXID_ID_BITS with a fairly high value (i.e.
144), so the chance of a pseudorandom collision should be extremely
improbable in a real-world context.