Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re: Re: cgi and https (mildly off topic)

by IlyaM (Parson)
on Nov 27, 2001 at 15:59 UTC ( #127786=note: print w/ replies, xml ) Need Help??


in reply to Re: cgi and https (mildly off topic)
in thread cgi and https (mildly off topic)

There is no way how HTTP authentication can be conducted only once and not repeated with each page retrieved. Read RFC for HTTP 1.1. Basic HTTP authorization require user agent to send username and password on each HTTP request for protected area.


Comment on Re: Re: cgi and https (mildly off topic)
Re: Re: Re: cgi and https (mildly off topic)
by Spenser (Friar) on Dec 11, 2001 at 22:57 UTC

    I'm sorry to have taken so long to respond to your comments, IlyaM, but I got side tracked with other activities and I needed time to ponder your comments. I agree with your comments, but to the extent that they contradict mine, I'm now confused.

    What you said makes sense as I understand httpd: After a page is requested from Apache and delivered, the relationship is terminated, the daemon dies along with all references to the client. If this understanding of mine is incorrect, please correct me.

    My error seems to come from my reading of a line in O'Reilly's book, Apache: The Definitive Guide (2nd Edition) by Ben & Peter Laurie. In Chapter 5: Authentication, on page 126, the section entitled, "Using .htaccess Files" it says:

    "The drawback to the .htaccess method is that the files are parsed for each access to the server, rather than just once at startup, so there is a substantial performance penalty."

    Honestly, I think you're right. I must be misreading O'Reilly's book. I know it's not your job to defend O'Reilly, but I'm trying to reconcile the two logical comments. Incidentally, I think this relates to Perl and Perl Monks in that the CGI.pm is very widely used by perl programmers.

    Please let me know what you think.

    -Thanks.

      To clarify any possible confusion:

      .htaccess does affects perfomance since it is parsed on each request. This is correct. But actually it is not related directly to HTTP authorization. This perfomance hit occurs for any request for file in directory with .htaccess file whenever that directory is protected with HTTP authorization or not.

      HTTP authorization commands can be put both into .htaccess and into main apache config file. In both cases authorization should be conducted on each request because of stateless nature of HTTP protocol.

      I think in most cases having HTTP authorization commands in .htaccess or in main config doesn't affect perfomance so much as proper selection of auth module. Certantly plain text files is much more slower than indexed database for big number of users.

      --
      Ilya Martynov (http://martynov.org/)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://127786]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (11)
As of 2014-12-18 10:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (49 votes), past polls