Max number of REST sessions

[Tanous, Ed]

Today, there is no session count limit, aside from your BMCs RAM limitations to store a small struct for each user session, although there should be.  In the past when this has come up, there were questions about what the behavior should be when user sessions roll past the limit.

Some of the proposed solutions that I’ve heard in the past:

1.       Impose session limits either per user, per connecting ip address, or both.  When a user rolls past the limit, one of two things can happen:

a.       New sessions are rejected until old sessions time out.

b.      New sessions will “push out” the oldest session in the queue.

2.       Use session tokens encrypted with a BMC secret (similar to json web token) and don’t store the session information on the BMC at all.  This would effectively remove all the session limits

3.       “Reuse” sessions per user account, effectively capping the session count to the number of users or less

In my opinion, someone (possibly me) should put together a patchset to execute on 1b.  What are other people’s requirements in this area?  Did I miss anything?

-Ed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20181214/ffc8a742/attachment-0001.html>