Hi Ferenc, On Tue, Jan 27, 2015 at 6:44 PM, Ferenc Kovacs <tyr...@gmail.com> wrote:
> On Tue, Jan 27, 2015 at 3:35 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >> Hi all, >> >> On Tue, Jan 27, 2015 at 11:06 AM, Yasuo Ohgaki <yohg...@ohgaki.net> >> wrote: >> >> > - session.hash_function=1 : Use SHA1 rather than MD5 >> >> >> I realized that we should remove hashing for better performance. >> >> Since session ID is generated from crypt secure RNG (/dev/urandom by >> default), >> simply converting the data into text is enough. Hashing is _slow_. >> >> Any comments? >> > > on the contrary, both sha1 and md5 is super fast, so I don't think that is > a good argument. > and if you remove the hashing there will be no known length for the > session id, and sooner or later people will screw themselves when bumping > into some limit or getting their session id truncated (be that a cookie max > length or a db field). > MD5 and SHA1 is reasonably fast. However, when I implemented session.lazy_write I found hashing is spoiling performance with simple script benchmark. A lot of session IDs may be generated with browsers that do not support/enable cookie. Many sites can ignore the overhead, but busy sites get benefits from raw session ID. It may be small, but it uses less CPU cycle for sure. We may set long enough fixed length ID with raw session ID. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
