How does Nginx look-up cached resource?

Sergey Brester serg.brester at sebres.de
Fri Sep 4 18:56:23 UTC 2015


On 04.09.2015 20:10, Maxim Dounin wrote:

> For sure this is something that can be done. The question remains
> though: how often collisions are observed in practice, is it make
> sense to do anything additional to protect from collisions and
> spend resources on it? Even considering only md5, without the
> crc32 check, no practical cases were reported so far.

What?
That SHOULD be done! Once is already too much!

nginx can cache pages from different users (key contains username),

so imagine in the case of such collision:
   - the user 1 will suddenly receive an info of the user 2;
   - if authorisation uses "auth_request" (via fastcgi) and it will be 
cached (because of performance resp. persistent handshake-like 
authorisation), the the user 1 will even act as a user 2 (with his 
rights and authority) etc.

I can write hier hundred situations that never ever should be occured! 
Never.



More information about the nginx-devel mailing list