[pmwiki-users] Announcement: HtpasswordForm recipe major update

Crisses crisses at kinhost.org
Tue Oct 17 06:01:55 CDT 2006 

On Oct 17, 2006, at 2:37 AM, Dominique Faure wrote:

> On 10/16/06, The Editor <editor at fast.st> wrote:
>>
>> One question though...  What is the reasonable limit to the number of
>> members you would recommend administering with something like
>> htpasswdform?  Hundreds?  Thousands?  More?
>>
>
> According to Apache Week[1]:
>
> << Problems with Large Numbers of Users
>
> Using htpasswd to create a text list of users, and maintaining a list
> of groups in a plain text file is relatively easy. However if the
> number of users becomes large, the server has a lot of processing to
> do to find a user's group and password details. This processing has to
> be done for every request inside the protected area (even though the
> user only enters their password once, the server has to
> re-authenticate them on every request). This can be slow with a lot of
> users, and adds to the server load. Much faster access is possible
> using DBM format files. This allows the server to do a very quick
> lookup of names, without having to read through a large text file.
> However managing DBM files is more complex. Apache Week will cover the
> use of DBM authentication in a future issue. >>
>
> These considerations fully apply to PmWiki either. IMHO, I wouldn't
> use it for more than few dozens of users.


Caveat:

Apache needs to use htpasswd to reauth a user every time IF you're  
actually using Apache's htpasswd authentication on the site.  If  
you're using PmWiki with htpasswd FILES for authentication -- not  
Apache's passwording, just Apache's password files for authentication  
data storage, PmWiki will NOT be authenticating people against  
htpasswd at every browser request.  PmWiki stores authentication data  
in session and cookie data after the user is authenticated.  This is  
NOT the same thing as setting up user authentication in Apache.

The key is whether or not you changed any Apache config or .htaccess  
files to require authentication.  If you didn't, then you're only  
using the htpasswd authentication as a convenience for PmWiki  
authentication -- not Apache authentication.

The server load on a LARGE database won't be anywhere near as big.  I  
personally would keep an eye on the load, and keep in mind that I  
might need to swap auth methods if it got very large, but I don't see  
the text search against the large database being a problem since it's  
*not* hit on every browser request.

Crisses

More information about the pmwiki-users mailing list