Please sign in to comment.
Add some caching for password hash validation.
Password hash functions must be expensive in order to be secure. But if they have to be re-evaluated for every request, performance suffers. As a minimal remedy, cache the most recent result for every connection. This gives a great performance boost if a web browser does many requests on the same connection with the same user+password. In principle, this may keep the plain text password around longer than before. But in practice, there won't be much difference since user+password can already remain in some unused data bucket for longer than the request duration. A proper solution still needs to be found for connections from proxies which may carry requests for many different users. While it currently only requires the conn_rec, the new ap_password_validate() function takes username and request_rec to allow future extensions, like detection of brute-force attempts. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1427548 13f79535-47bb-0310-9956-ffa450edef68
- Loading branch information...
Showing with 69 additions and 8 deletions.