[Zope] ZOracleDA (long running requests)
Guy N. Hurst
gnhurst@hurstlinks.com
Mon, 17 Jan 2000 09:49:50 -0500
PHP has a solution for this - see
http://www.php.net/manual/features.connection-handling.php3
It sets a flag your script can check so you can decide to abort or
complete an initiated server-side process after the connection is
broken.
Guy N. Hurst
Christopher Petrilli wrote:
>
> On 1/14/00 5:14 PM, Nemeth Miklos at nemeth@iqsoft.hu wrote:
> ...
> > However, there are two points, which makes me a bit anxious:
> >
> > (1) Doug Hellman mentioned that ZOracleDA does not stop long running
> > requests when the user cancels the HTTP request. Is it possible for a
> > malicious cracker to conduct a denial-of-service attack exploiting this
> > behaviour?
> > I think this is not a ZOracleDA specific problem, but a general issue
> > with Oracle. Do other technologies (PHP, mod_perl, etc) have a solution
> > for this problem? Is this a real threat?
>
> I do not believe anyone has a solution for this problem, and yes it could be
> used as an attack, pretty much regardless of their type. This is a form of
> resource starvation, and it is unavoidable without active defenses,
> something we don't have right now (nor does Apache, which can be starved the
> same way). Having said that, there is really no way that I know of to know
> that the user has stopped their HTTP request, it's not part of the protocol,
> you'd have to detect the socket being closed pre-maturely, which would NEVER
> be available thru PCGI or FastCGI, though it is theoretically feasible in
> ZServer to propagate this information.
>