Page 1 of 1
Visitor and BOT Sessions on a popular MiServer web site
Posted: Mon Mar 25, 2019 3:51 pm
by woody
Greetings.
If I have a popular (100 new visitors each day) web site running on MiServer 2.x ...
Will there be any problems with too many MiServer Sessions (name spaces) being created ?
What if 1000 visitors hit the site in 1 day ?
OR what if an external service or "BOT" hits the site 1000 times in a day ... but does NOT store the cookie... causing 1000 separate sessions?
Should I write some code to "DELETE" or "PURGE" abandoned sessions to save space ?
Thanks for the help!
//W
Re: Visitor and BOT Sessions on a popular MiServer web site
Posted: Tue Mar 26, 2019 6:15 pm
by Brian|Dyalog
Hi Woodley,
There are a lot of factors that contribute to how many visitors MiServer can support. They include (in no particular order):
- workspace size
- the size and nature of your application and how much data exists for each user
- session timeout
- how many unique pages the user accesses during the session
- how active (or inactive) the users are once they access the MiSite
From our experience with TryAPL (which has run almost 24/7/365 since 2012 using MiServer v2) we saw a huge usage hit in its first couple months (1000's of users in a single day) as a result of being mentioned on Reddit. The only glitch was a workspace full when trying to retrieve all the session file names, which we've since addressed. TryAPL runs in a rather modest Linux virtual machine.
Session handling is managed using a separate "extension" class. The default session handler is implemented in SimpleSessions.dyalog. Whenever the listener in MiServer times out (after 20 seconds of inactivity) the HouseKeeping method in the session handler is called. SimpleSessions.HouseKeeping looks at all the existing sessions and purges any that have had no activity within the session timeout period which defaults to 10 minutes. In MiServer v2, it's a little less convenient to set the alter the timeout. In MiServer v3, the session timeout is a parameter in the Server.xml configuration file.
So, to attempt to answer your question(s):
- Will there be any problems with too many sessions? Probably not, but it depends on a variety of factors. Even if there is a problem, there are a number of ways to address it depending on its nature.
- Do you need to write some code to purge dead sessions? No, MiServer does this for you.
I hope this helps!
/Brian
Re: Visitor and BOT Sessions on a popular MiServer web site
Posted: Wed Mar 27, 2019 12:32 pm
by woody
Good info, Brian.
So.. to be clear ...
Is there any difference in the MiServer sessions between these two scenarios:
1. Normal user with browser who accepts the session cookie
2. BOT emulated browser that does NOT accept the session cookie
If a browser returns to the MiServer ... and the current session cookie is FOUND within MiServer (e.g. a current active session within 10 minutes) ...
Then, that same session namespace is referenced and reused for the http request.
But, for a looping BOT that does not hold a MiServer session cookie, a new MiServer session will be created each time it sends an HTTP request to MiServer ?
In a real-world example, I have several external APL Client apps running multiple HTTP requests against a MiServer (like a Web Service) ... and I do NOT store the returned MiServer session cookie.
After hundreds (thousands) of HTTP gets ... MiServer throws a workspace full.
Are Session Cookies KEY to creating and keeping the MiServer Sessions?
Thanks!
//W
Re: Visitor and BOT Sessions on a popular MiServer web site
Posted: Thu Mar 28, 2019 4:12 pm
by Brian|Dyalog
Hi Woodley,
Yes, there is a difference between "normal" users who use cookies as the link to their MiServer sessions and users (bot or otherwise) that do not accept or use cookies.
The Session cookie is the link between the user and the state that MiServer maintains for that user.
The sole purpose of sessions is to maintain state across requests from the same user. It sounds like your APL client apps are stateless, so one might question why you're using sessions at all. If all your requests are HTTP GET requests, there's no need for sessions. However, if you need HTTP POST (form submission or APLJax callbacks), then you will need sessions.
As I see it, there are two possible scenarios:
- You really don't need to maintain state across requests for any users (bot or otherwise). In this case, change <SessionHandler> element in /Config/Server.xml to <SessionHandler></SessionHandler> (a null value). Do NOT remove the <SessionHandler> element though, because MiServer will default to using SimpleSessions if <SessionHandler> does not exist.
- You have a hybrid environment where some requests need state whilst others do not. This is a bit more work, but it's not that difficult. In this case you'll need to:
- Have a way to distinguish between requests that need state and those that don't. I would use the URL by either appending a query parameter (e.g. http://mysite.com/mypage?nosession=true) or setting aside specific pages for statelessness (e.g. http://mysite.com/nosessionpage).
- Then copy SimpleSessions from the MiServer/Extensions/ folder to your MiSite's /Code/ folder and modify the copy to detect the query parameter or the page name and not create a session for that request.
If you need, I can help with some of the details once I have a better understanding of exactly what you're trying to do.
I hope this helps!
/Brian