CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: php + cosign scalability

On Tue, 22 Jun 2004, Renju Jacob wrote:

> I was considering deploying cosign filters on a server running Apache
> + php and was wondering if it might not be an ideal platform if the
> volume of requests were really high. I mean, I just wanted to gather
> opinion from people who might have deployed this set up and have had
> issues with scalability. Is there an alternate solution for catering
> to high traffic, if this is not an ideal platform (I mean something
> like cosign filters on Tomcat + jsp ?-not sure if there are cosign
> modules for this platform).
> I'ld really appreciate any advise from folks who have had some
> experience with this issue.

Hi, Renju,

LSA is running mod_cosign for Apache 1.3.x together with
mod_php (PHP 4.3.6) and is not experiencing any problems.
We have other servers where Perl CGIs and mod_perl are
used extensively, and yet others where Java is used
extensively (not in a servlet environment, though, just
as "Java CGIs").

What adds the most overhead is protecting all of your
pages with TLS/SSL.  But this has nothing do to with
cosign per se -- although it's recommended that you
serve all of your cosign protected pages over HTTPS,
cosign should work if you choose to use HTTP instead.
Whether you are using cosign or another solution
such as mod_auth, the biggest thing that can help here
is having an SSL hardware accelerator card in your
web server to offload the cryptographic operations from
your main processors and to reduce the latency of SSL
operations.  Note that mod_cosign will communicate with
the central weblogin servers via a private TLS connection,
and can take advantage of any SSL hardware acclerator
card for this, although the performance improvement will
be insignificant since the amount of back-end traffic is
so small.

So basically, mod_cosign itself adds very little overhead.
If your server is capable of handling the volume of requests
with, say, mod_auth (DigestAuth) and SSL, then it will
certainly be able to handle the same volume when you
replace mod_auth with mod_cosign.

Mostly it will depend on what your PHP pages are doing
and how.

If you want to switch platforms, a JavaCosign implementation
does exist.  I believe it works with at least Tomcat.
You can get the Java cosign filter from

                Mark Montague
                LS&A Information Technology

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010