Clever Geek Handbook

HTTP Basic Auth, Reading Password File and Performance

I'm curious to know what are the implications of using HTTP Basic Auth on a web server like Apache or lighttpd or nginx. I believe the bottleneck is the actual reading of the file by the server to authenticate the user. It also seems to me that the cost of reading a file to authenticate a user is proportional to the number of users in that file.

The questions I have are:
1. is there a certain number of users whose base auth file through the file starts to crash or is linearly related to the number of users in the file?
2.Considering the http statelessness, if the user was authenticated using HTTP Basic Auth by the web server on one request:
- just forwards the credentials on each request and the web server has to parse the password file each time to determine if it is by a request from a valid user?
or
- get something like a token that it uses in the http header on subsequent requests, which allows the server to not parse the password file again?

early

+2


source to share


3 answers


  • Linearly relative. I wouldn't worry. HTTP Basic Auth is considered scalable. Just take the Twitter API as an example. It uses Basic Auth.

  • "Since HTTP is stateless, every request will be handled the same way, even if it belongs to the same client. That is, every resource requested from the server will have to provide authentication credentials again to get the resource. Fortunately, the browser takes care of the details. here, so you only need to enter your username and password once during your browser session, meaning you may need to enter it again the next time you open your browser and visit the same website. "



See Apache Auth Documentation for details .

+3


source


My experience with Apache 2.x.



  • Yes. It will be inline with the default authentication provider (file). It uses ap_cfg_getline()

    , so it will be linear in the number of rows (users).
  • Yes. mod_aaa has to parse the password every time. You can use something like MemCookie for cookie or token based authentication.
+1


source


Parsing a file once at login should scale quite well, regardless of the number of users. I wouldn't bother with that. In the future, you can develop a database driven approach with proper indexing. I suspect that of all the bottlenecks you come across in your website development, Basic Auth won't be one for a very long time - unless your web server is exhausted.

0


source






More articles:


All Articles