[pmwiki-users] Announcement: HtpasswordForm recipe major update

Dominique Faure dominique.faure at gmail.com
Tue Oct 17 07:54:33 CDT 2006


On 10/17/06, Crisses <crisses at kinhost.org> wrote:
>
> On Oct 17, 2006, at 2:37 AM, Dominique Faure wrote:
>
> > On 10/16/06, The Editor <editor at fast.st> wrote:
> >>
> >> One question though...  What is the reasonable limit to the number of
> >> members you would recommend administering with something like
> >> htpasswdform?  Hundreds?  Thousands?  More?
> >>
> >
> > According to Apache Week[1]:
> >
> > << Problems with Large Numbers of Users
> >
> > Using htpasswd to create a text list of users, and maintaining a list
> > of groups in a plain text file is relatively easy. However if the
> > number of users becomes large, the server has a lot of processing to
> > do to find a user's group and password details. This processing has to
> > be done for every request inside the protected area (even though the
> > user only enters their password once, the server has to
> > re-authenticate them on every request). This can be slow with a lot of
> > users, and adds to the server load. Much faster access is possible
> > using DBM format files. This allows the server to do a very quick
> > lookup of names, without having to read through a large text file.
> > However managing DBM files is more complex. Apache Week will cover the
> > use of DBM authentication in a future issue. >>
> >
> > These considerations fully apply to PmWiki either. IMHO, I wouldn't
> > use it for more than few dozens of users.
>
>
> Caveat:
>
> Apache needs to use htpasswd to reauth a user every time IF you're
> actually using Apache's htpasswd authentication on the site.  If
> you're using PmWiki with htpasswd FILES for authentication -- not
> Apache's passwording, just Apache's password files for authentication
> data storage, PmWiki will NOT be authenticating people against
> htpasswd at every browser request.  PmWiki stores authentication data
> in session and cookie data after the user is authenticated.  This is
> NOT the same thing as setting up user authentication in Apache.
>
> The key is whether or not you changed any Apache config or .htaccess
> files to require authentication.  If you didn't, then you're only
> using the htpasswd authentication as a convenience for PmWiki
> authentication -- not Apache authentication.
>
> The server load on a LARGE database won't be anywhere near as big.  I
> personally would keep an eye on the load, and keep in mind that I
> might need to swap auth methods if it got very large, but I don't see
> the text search against the large database being a problem since it's
> *not* hit on every browser request.
>

That's nice to point it out, but the previous considerations are still
valid in the recipe context since the htpasswd/htgroup files are
effectively read and eventually written each time the browser refresh
the administration form page (more precisely, it uses temporary arrays
[as PmWiki does] to handle file contents and so may hit memory
limitations when handling large files).

Dom




More information about the pmwiki-users mailing list