Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manage pool of connections based on credentials #4288

Closed
nicolas-grekas opened this issue Sep 2, 2019 · 7 comments

Comments

@nicolas-grekas
Copy link

commented Sep 2, 2019

https://fetch.spec.whatwg.org/#connections specifies that user agents should create a separate connection per credentials. This allows greater security by enforcing a stricter boundary between e.g. authenticated and non-authenticated requests.

Is that something curl should consider for the curl_multi_* API? via a new option?

@bagder

This comment has been minimized.

Copy link
Member

commented Sep 2, 2019

You can use the share interface already and just provide different connection caches for different requests, which would make them totally separate - which of course will satisfy that requirement at a loss of other connection sharing that won't happen. Not an ideal solution, but possibly a work-around.

To make such a feature use the connection cache effectively I really think it needs to be handled correctly and internally for each easy handle's use of the pool.

We already do separate connections for different credentials for pretty much all other protocols so a lot of the logic is already there. The options are perhaps:

  1. switching to the WHATWG model just plain and simply, always
  2. do it optionally with a new option
  3. not do it at all

HTTP authentication is not a widely used practice these days and I think that applications that mix authenticated and non-authenticated requests to the same host using libcurl are rare. I feel that these WHATWG guidelines are mostly directed to the major browsers rather than for transfer libraries.

@nicolas-grekas

This comment has been minimized.

Copy link
Author

commented Sep 2, 2019

You can use the share interface already and just provide different connection caches for different requests

oh indeed, thanks for the reminder!

at a loss of other connection sharing that won't happen.

that means separated cookies and TLS state, that's what you mean, isn't it?

switching to the WHATWG model just plain and simply, always

That would be the most effective for the lazy me at least :)

I get your last point also. I don't have specific arguments to counter it...

@bagder

This comment has been minimized.

Copy link
Member

commented Sep 2, 2019

that means separated cookies and TLS state, that's what you mean, isn't it?

Not necessarily. The share interface is basically a way to create a separate object that holds shared stuff (states and caches). Exactly what stuff to share you can decide yourself out of the available set. In my case I was thinking only the connection pool. Other things it can share includes cookies and DNS cache etc. It's a user choice.

Then you specify which easy handles that should use that specific share object. So, in a multi-using case you can have all handle's share cookies and DNS cache like "normal" but have each (specified) easy handle use the dedicated share object for its connection pool...

@nicolas-grekas

This comment has been minimized.

Copy link
Author

commented Sep 2, 2019

So, basically one can do it on their side, thanks for the pointers! curl is impressive work :)

@bagder

This comment has been minimized.

Copy link
Member

commented Sep 4, 2019

It also struck me that you can also of course per-transfer set CURLOPT_FORBID_REUSE or CURLOPT_FRESH_CONNECT as another work-around.

@nicolas-grekas

This comment has been minimized.

Copy link
Author

commented Sep 4, 2019

Thank for your answers. I'm fine closing here unless you want to keep track of the proposal for the future.

@bagder

This comment has been minimized.

Copy link
Member

commented Sep 4, 2019

Thanks, closing this.

@bagder bagder closed this Sep 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.