[Seaside] Fatal Flaw in my Web App!
Ramon Leon
ramon.leon at allresnet.com
Fri May 23 20:17:05 UTC 2008
>
> I just discovered a fatal flaw in my web app. By chance, I
> was looking
> at the PostgreSQL database for my app, which uses GLORP. When I did
> the following in PSQL:
>
> SELECT * FROM PG_STAT_ACTIVITY;
>
> I discovered much to my horror that the DB connections from previous
> logins/logouts were still lingering around. I had assumed
> that they'd
> timeout and go away. When I logout, I do a session expire, and I
> thought this takes care of all GLORP issues. Apparently, I was dead
> wrong!
>
> Is there a nice easy way for me to solve this without doing major
> surgery to my web app? At the time of logout (or even Seaside
> session
> timeout), I do not necessarily have access to the GLORP instance
> variables.
>
> Thanks,
> Richard
You shouldn't be holding open a connection per Seaside session in a web app
to begin with. You want a Glorp session per Seaside session, not a Postgres
connection per Seaside session. Glorp sessions are not tied to any
particular connection, you can swap the connection in and out from a
connection pool on a per request basis. When a request comes in, grab a
connection from your pool, assign it to the current Glorp session, and
return it to the pool at the end of the request. Do not rely on Seaside
session expiration to manage your connections for you, it's just a bad idea
and opens you up to easy denial of service kinds of attacks. There's a
connection pool in the GlorpSeaside package or the Glorp package on
SqueakSource for just this situation.
Ramon Leon
http://onsmalltalk.com
More information about the seaside
mailing list