OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [wsrp] What is the symetrical method for initCookie?



Agreed, but for legacy reasons some Producers will need to use cookies. Key points:
  1. We tried to limit the appearance of cookies as much as possible in the protocol.
  2. Producers needing to use cookies to reference sessions will need to architect/implement clean solutions

Example: Producer would like Consumer to indicate when cleanup of resources is allowed without loss of state. Choice is made to reflect cookie as WSRP session as well. Producer can not expect Consumer assistance in maintaining tie between cookie and sessionID against things like cookie timeout. Producer should use InvalidCookie fault on such a timeout if it needs assistance in re-establishing the session and only view the sessionID as a reference being supplied to the Consumer in order to encourage a future invocation of releaseSessions() ... the InvalidSession fault should never be thrown. This restricts all the issues of maintaining this tie to the Producer without introducing the overhead of additional roundtrips.

Rich



Richard Jacob <richard.jacob@de.ibm.com>

07/19/2004 08:53 AM

To
Rich Thompson/Watson/IBM@IBMUS
cc
wsrp@lists.oasis-open.org
Subject
Re: [wsrp] What is the symetrical method for initCookie?









I'm not sure if tying these should really be the appropriate approach.
Especially if wsrp sessions/cookies expire this could lead to multiple
additional required roundtrips (re-establishing the cookie and wsrp
session).

Mit freundlichen Gruessen / best regards,

       Richard Jacob
______________________________________________________
IBM Lab Boeblingen, Germany
Dept.8288, WebSphere Portal Server Development
WSRP Standardization Technical Lead
Phone: ++49 7031 16-3469  -  Fax: ++49 7031 16-4888
Email: mailto:richard.jacob@de.ibm.com


                                                                         
            Rich Thompson                                                
            <richt2@us.ibm.co                                            
            m>                                                         To
                                      wsrp@lists.oasis-open.org          
            07/14/2004 09:24                                           cc
            PM                                                            
                                                                  Subject
                                      Re: [wsrp] What is the symetrical  
                                      method for initCookie?              
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         





If you are going to use the cookie in such a manner, I would suggest
architecting the system such that the cookie is also reflected as a WSRP
session. This raises it to the protocol level and the releaseSessions()
operation can be used to trigger the desired cleanup.

Rich

                                                                         
Khurram_Mahmood@peoplesoft.co                                            
m                                                                        
                                                                         
                                                                       To
07/14/2004 03:13 PM                       wsrp@lists.oasis-open.org      
                                                                       cc
                                                                         
                                                                  Subject
                                          Re: [wsrp] What is the          
                                          symetrical method for          
                                          initCookie?                    
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         
                                                                         










1) producer will not know when to throw away the session cookie.  In the
absence of a releaseCookies operation, the only time a producer knows when
to kill the user session is when a logged in user's http session expires.
This, in my opinion, is a problem.  We have seen cases where customers bump
up the session expiry times to large periods.  This happens mostly in
non-shared machine environments and there are valid reasons for it.  In
such situations, if the system just depends on the session expiry times and
not the user logging out, the webserver runs out of memory due to the
orphaned sessions.

Essentially, we need someway for the consumer to tell the producer that a
user has logged out.  It doesn't really matter that it is a releaseCookie
call or just a userLogout call -- something that can help the producer
identify and cleanup the unneeded resources.  This is needed with or
without the initCookie i.e. even if a system doesn't set cookies but uses
url re-writing to maintain sessions.  In any non-trivial system, producers
will have resources tied up to a logged in user.  As Ricky wrote, this
opens the system up to denial of service attacks, even without the attacks
the system can run out of memory if the expiry times are large as I stated
above.  This and security were the main reasons why logouts were invented
in the first place.

The main question is whether WSRP which is an application protocol be
handling this or should this be handled by something like WS-Security.
What are your thoughts on that?





                    "Rich Thompson"

                    <richt2@us.ibm.co        To:
wsrp@lists.oasis-open.org

                    m>                       cc:       (bcc: Khurram
Mahmood/PeopleSoft)
                                             Subject:  Re: [wsrp] What is
the symetrical method for initCookie?
                    07/14/2004 11:37

                    AM









When this was discussed, it was decided that a releaseCookies() was not
needed since 1) the Producer may throw cookies away at any time it desires
and 2) initCookie() was only placed into the protocol due to the unique
initialization needs of clustered servers (and viewed by most as a
pollution of the protocol!).

Rich


ricky_frost@peoplesoft.com


07/14/2004 02:21 PM                                                    To
                                    wsrp@lists.oasis-open.org
                                                                      cc

                                                                 Subject
                                    [wsrp] What is the symetrical method
                                    for initCookie?
















It seems that unless there is a method like "releaseCookie" won't the
producer be open to DoS attack, or more likely just running out of
resources on a busy server.

Thanks



To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgroup.php

.






To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgroup.php
.




To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgroup.php.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]