Help: How to track user session with fastcgi

I want to use nginx as web front, dispatching uri of dynamic content to
fastcgi processes. How to track user session in such situation?

I reviewed ngx_http_userid_module, which generates new user id if
special cookie key not found. But it has some cons:

  • If this is the first time user visiting site page, nginx can’t record
    user id with just visited page into log file

  • If the first visited page is generated by a fastcgi process, the
    fastcgi process can’t get user id just generated by
    ngx_http_userid_module

Is there any way to work out? Thanks.

ip_hash

2007/10/25, Yingyuan C. [email protected]:

  • If the first visited page is generated by a fastcgi process, the
    fastcgi process can’t get user id just generated by ngx_http_userid_module

Is there any way to work out? Thanks.


yingyuan


Best Regards

焦胜强
上海我要网络发展有限公司  运维部
上海浦东新区峨山路91弄200号新鹏大厦6楼 邮编 200127
Tel: +86(021)58815151-5160
Fax: +86(021)50904695
QQ: 34849502
MSN: [email protected]
Email: [email protected]
Visit us: http://www.51.com

ip_hash can direct requests to consistent backends, but it can’t
generate session id used by fastcgi processes. All I need is the method
to generate session id which would be used by fastcgi processes and
record the session id generated into log file.

Maybe my description was obscure before. Thank you very much anyhow.

Best regards


yingyuan

½¹Ê¤Ç¿ дµÀ:

If you want some way to assign session id to user for security/external
data storage identifier etc (the “sessions” in php’s meaning) - you should
use other means to generate them.

Note: cookies generated by userid module shouldn’t be used as security
identifier, since malicious user can easily guess other user’s cookie.

You could implement signed cookies like OpenACS or Django do:

http://openacs.org/doc/current/security-design.html

http://code.djangoproject.com/ticket/3285

Thank you Maxim D…

Maybe I should consider a ‘ngx_http_sessid_module’ based on
‘ngx_http_userid_module’. Any more advice?


yingyuan

Maxim D. 写道:

Thank you Valery K…

I think it deserves to be developed.


yingyuan

Valery K. 写道:

Hello!

On Thu, 25 Oct 2007, Yingyuan C. wrote:

I want to use nginx as web front, dispatching uri of dynamic content to
fastcgi processes. How to track user session in such situation?

I reviewed ngx_http_userid_module, which generates new user id if
special cookie key not found. But it has some cons:

  • If this is the first time user visiting site page, nginx can’t record
    user id with just visited page into log file

It can. The uid_set variable contains userid cookie nginx set in
response, and may be used in log.

  • If the first visited page is generated by a fastcgi process, the
    fastcgi process can’t get user id just generated by ngx_http_userid_module

Yes. The above variable can’t be passed to fastcgi backend since userid
module actual work happens while sending headers to client (i.e. after
fastcgi request).

Is there any way to work out? Thanks.

Userid module was designed to track users through http logs for
statistical purposes, and it solves the problem.

If you want some way to assign session id to user for security/external
data storage identifier etc (the “sessions” in php’s meaning) - you
should
use other means to generate them.

Note: cookies generated by userid module shouldn’t be used as security
identifier, since malicious user can easily guess other user’s cookie.

Maxim D.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs