Re: How do Large Scale Web Service Applications Maintain Session State?

Tech-Archive recommends: Speed Up your PC by fixing your registry

"Joseph Geretz" <jgeretz@xxxxxxxxxx> wrote in message
news:Os%23v1SXTHHA.4844@xxxxxxxxxxxxxxxxxxxxxxx
Hi John,

Here's are a few specific example, in our case. First of all, our
application implements application defined authentication. To keep every
transaction absolutely stateless, this will require authentication on
every single application call. Won't it be much more efficient to allow
the client application to authenticate once against the database and then
to maintain that authenticated state for every transaction which is
submitted by that authenticated client, until the client logs off, or the
time-out period expires?

You can authenticate once, and have the "login" operation return an
authentication token in a SOAP header. All subsequent operations would
include the token in a SOAP header they send. I've implemented this, and
it's very simple.

Second, and tangentially related issue, our application defines detailed
user profiles which define what a particular user can and cannot do.
Again, absolute statelessness on the Server would require us to check the
database on every single transaction to authorize the transaction. Our
concept is to cache these profiles on the server in order to increase
performance.

The profiles can certainly be cached. You would use the authentication
information in the token (or referred to by the token) to determine which of
the cached profiles to use for the current operation. This is application
state, not operation state.

Naturally, I agree with you that specific application classes (i.e.
classes providing direct services to application clients) on the server
should not maintain state, since this limits their usability to a single
client. However, the caching of session state on the server is a different
issue and can have tremendous benefits for performance, without
compromising scalability, if done correctly (as far as I can imagine). Our
proposed architecture would implement a stateful Web Service server
application, which is something different than stateful Web Service
classes.

We may be using the term "stateful" to mean different things. "Stateless" to
me doesn't mean that the server doesn't maintain any state. It means that
the server doesn't depend on the saved state from previous operations in
order to process the current operation. It means that the operations aren't
constrained to execute in a particular order because the results of one
operation are required before the next can execute.

For instance, I said you can cache the profile information. But if the
profile isn't in the cache when you need to use it, you don't fail - you
load the profile into the cache.

As an example of what not to do, it would be better to create a file system
access service by creating a "ListDirectory" operation rather than
"FindFirst" and "FindNext" operations. "FindNext" requires the server to
maintain state from the "FindFirst" and previous "FindNext" operations.


HTH,
John


.

Relevant Pages

  • RE: Error -2147168246 New transaction cannot enlist in the specified t
    ... Server Driver]Distributed transaction error. ... By going to the 2003 Server and changing the Security Configuration of MSDTC ... from Mutual Authentication to Caller or No authentication. ...
    (microsoft.public.sqlserver.dts)
  • Anyone using Win2003 for server based Mac profiles?
    ... If anyone else is using Active Directory for ... authentication and specifically hosting the home folder on the Windows ... server, I'd be interested in any SNAFUs you've had. ... profiles for a bit as a reference test. ...
    (uk.comp.sys.mac)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... SYSTEM account. ... In IIS I took the virtual server that I was testing, ... Authentication premise. ... From a website perspective, I ...
    (microsoft.public.inetserver.iis.security)
  • Need help configuring Wireless Connection profile
    ... I have an SBS 2003 server and a Server 2003 member server set up using RADIUS ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP ... Certificate Services ...
    (microsoft.public.windowsxp.general)