1

I need to implement a site (HAProxy -> Varnish -> nginx -> uWSGI -> Pyramid, gevent-socketio, gevent -> Cassandra) over clustered environment with various servers and DBs, what would be the best session management technique I can use. I understand that gevent-socketio makes session management difficult and I am not sure if Beaker, memchached or any other has/will have support for it.

  1. memcached with a central server to handle sessions (I am not expecting too much load initially)

  2. Replication of sessions to each node (I suppose Redis or Cassandra may be able to support replication out of the box)

  3. cookie-only session (I think it's risky)

A session management solution supported by Pyramid, with support for Cassandra and capable of working with gevent-socketio would be cool.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Dev Maha
  • 1,133
  • 1
  • 11
  • 24
  • Do you *need* session management at all? The `UnencryptedCookieSessionFactoryConfig` setup *is* safe to use, the only risk involved is that the end user can decode the contents and read them; they cannot be tampered with (the contents are signed). – Martijn Pieters Feb 15 '13 at 10:10
  • Martijn, Thanks for commenting. Yes the app needs session and the problem is that unless I use sticky session, the request may go to different nodes and I will have no way to know that its for the same session. I am not sure if gevent-socketio poses any additional challenge to this clustered setting; if someone knows then please let me know. – Dev Maha Feb 15 '13 at 16:00
  • Sticky sessions are a snap with HAProxy, of course. But I'd use that only for cache locality only, and still share session data (either through `UnencryptedCookieSessionFactoryConfig` or with a Beaker backend). – Martijn Pieters Feb 15 '13 at 16:02
  • You are right, I have kept Sticky session as the last resort and may be for session specific things it's not a bad idea rest all can be distributed. Though, I would be very worried to use UnencryptedCookieSessionFactoryConfig. – Dev Maha Feb 15 '13 at 16:07
  • Why are you worried about that? I've [written about `UnencryptedCookieSessionFactoryConfig` in the past](http://stackoverflow.com/questions/14531396/in-pyramid-framework-what-is-the-difference-between-default-unencrypted-session/14539402#14539402). – Martijn Pieters Feb 15 '13 at 16:11
  • My worry comes from Pyramid docs "You should not use it when you keep sensitive information in the session object, as the information can be easily read by both users of your application and third parties who have access to your users’ network traffic. Use a different session factory implementation (preferably one which keeps session data on the server) for anything but the most basic of applications where “session security doesn’t matter”. " but the link that you have actually helps. But I suppose, I still need a way to share session info among nodes, it's there something to take care of it – Dev Maha Feb 15 '13 at 16:39
  • You can use [Beaker](http://beaker.readthedocs.org/en/latest/) (see http://docs.pylonsproject.org/projects/pyramid_beaker/en/latest/ for an easy integration package). You still need to make a storage backend decision but Beaker at least can handle caching and such for you. – Martijn Pieters Feb 15 '13 at 16:44
  • Handling sessions/caching is not an issue, the problem is to sync it across nodes to ensure that I can serve the client from any node that load balancer will send the request to. – Dev Maha Feb 16 '13 at 06:55

0 Answers0