memcached session data, access security, Usage scenario summary (3)

Recently made a single sign-on SSO, the login credentials placed on the memcached token to the cookie, but the user often dropped the line, development environment and testing did not have this problem, and finally from memcached to find the reason.

memcached concept, function, operation principle, characteristics, insufficiency simple carding (1)

memcached download installation, net to memcached for CRUD operations (2)

memcached session data, access security, Usage scenario summary (3)

First, session data into the memcached?

Memcached Creator Dormando has written two articles:

Sessions in Memcached

Cache your sessions. Don ' t piss off your users

The first article states that if you store a session with memcached, the user will not be able to log in or be kicked off when the memcached cluster fails (such as a memory overflow) or maintenance (such as upgrading, increasing, or reducing the server).

The second article points out that the memcached recovery mechanism may cause users to fall out of line for no reason.

For Dormando's two articles, he thinks the reasons given in the first article are easy to understand, and people often do not understand the reasons given in the second article. So he elaborated on this reason in detail:

Memcached for Dummies

Memcached uses the least recently used (LRU) algorithm to reclaim the cache. But Memcached's LRU algorithm executes on each slab class, not on the whole. This means that if all sessions are roughly the same size, they will be divided into two or three slab classes. All other data of roughly the same size will be placed in the same slab with the session contention storage space. Once the slab is full, even if there is room in the larger slab, the data will be recycled instead of being put into the larger slab ... In a particular slab, the oldest user of the session will be dropped. The user will start to randomly drop the line, and worst of all, you probably won't even notice it until the user starts complaining ...

It seems that memcached is a system designed to cache data instead of storing data, and therefore should not be used to store sessions.

Developers are advised not to store sessions with memcached.

Second, what kind of data suitable for put memcached

Not suitable for the situation:

1. If it is a small website, PV value is not big, do not consider memcached

2. Change frequently, a change will be put into storage (stock, finance), do not consider memcached

3. Too large data can not be put into memcached

4. The size of the cache object is greater than 1MB

5.key is longer than 250 characters

Suitable situation:

1. Frequent changes, frequent queries, but not necessarily written to the database (such as the user online status, the number of people online. Suitable for memcached)

2. Infrequent changes, frequent queries, regardless of into the storage, are more suitable for memcached.

Third, memcached access security

Memcache server is directly through the client connection directly after the operation, there is no verification process, so if the server is directly exposed to the Internet is more dangerous, light data leakage by other unrelated personnel view, heavy server was compromised, because Mecache is running with root privileges, In addition, there may be some of our unknown bugs or buffer overflow situation, these are unknown to us, so the danger is predictable.

Intranet access: It is best to place the two servers in the intranet form, usually between the Web server and the Memcache server. Universal servers are two network card, a point to the Internet, a point to the intranet, then let the Web server through the intranet network card to access the Memcache server, we memcache on the server when the boot on the network to listen to the IP address and port, Access between the intranet can effectively block other illegal access.

Firewall is a simple and effective way, if the two servers are hanging in the network, and need to access the Memcache through the extranet IP, then you can consider using a firewall or agent to filter illegal access.

Iv. Summary

Here I think you have some understanding of memcached.

Memcached is not a database, it is not a system for storing data, he is just a memory cache data system.

Memcached is not the only source of information, it is to assist the database operation, to improve the query speed of information.

Memcached is Key-value storage, so key conventions and naming specifications are important to facilitate later maintenance.

memcached session data, access security, Usage scenario summary (3)