
Got Users? How About 100M of Them? - Sbobby83
https://www.inversoft.com/blog/2016/04/19/got-users-100-million/
======
johnloeber
> Did you know that each time you log into Facebook, check your email or fire
> up Candy Crush, a software engineer has thought about user registration and
> authentication.

It's a bad sign when the very first sentence of your promotional blogpost has
no coherent meaning in the English language.

> I am quite sure that if your application actually grew that quickly the rest
> of your infrastructure would fail spectacularly. But rest assured, Passport
> will be just fine.

Another thing about writing promotional blogposts: don't belittle your
potential clients.

~~~
brianwawok
I am trying to figure out the use case of login as a service. There obviously
is one, but I am having trouble thinking of it. Clearly login means something
different to each app, right?

~~~
brokenwren
The registration and login parts are usually the simple features to implement.
Its the localization, emailing, password encryption, disciplining, rewards,
two-factor authentication, OAuth, login reporting, registration reporting,
daily active users reports, and monthly active users reports that are the more
challenging features to build yourself. Almost every application needs all of
these features, but very few have them because they take so long to code.

~~~
brianwawok
So encryption, emailing, oauth... DJango or another modern framework does all
of that out of the box or with a plugin.

Login reporting is cool... But if you build your own you can get full app
reporting. Not sure of the exact value add but I would way rather have
reporting on all pages not just login.

Localization? The hard part is translating my entire app. Not sure if I do
that work, I'm going to be mad I have to translate the word login and logout

~~~
robotdan
I know that I've found that above the base features that many frameworks
provide such as DJango - if you start pulling the thread on features like
forgot password / reset password - I quickly find there is a lot of coding to
be done.

Click reset, store a unique id, send the user an email with a link including
the unique id, verify that ID on the request and then allow a password change.
Then to be secure that unique id needs to be timed out once it is generated to
ensure the link is only good for a short period of time, etc.

Not to say anyone couldn't code all of that, but some of the simple features
once fully thought out end up being fairly complex. In my experience many of
the out of the box options still need to be extended to be fully realized for
enterprise usage.

I don't have a ton of experience with DJango specifically so I could be
mistaken - perhaps it does more than I know.

------
hack_edu
Not a good reflection on your actual ability to scale when a 500 word blog
post makes your entire web server choke after just a few minutes on the front
page.

~~~
brokenwren
That's what happens when 10,000 people hit your website all at once. :) I
think it's probably Wordpress that is sucking here though.

~~~
hack_edu
That makes it better? This is a marketing post and should reflect your
company's strengths, _especially_ when the topic of the post is about said
quality.

~~~
nickpsecurity
I always remember in moments like these that Cloudfare is something like
$50-200 a month. Wait, a quick look is $0/$20/$200 with $0 or $20 probably
covering it. Hmmm.

~~~
ddorian43
Cloudflare doesn't cache your sql queries.

~~~
morgante
It's a static webpage. You shouldn't need to re-run SQL queries for each user.

Pages like this is literally what CDNs are great for.

~~~
nickpsecurity
That's what I was thinking. Only need to do SQL on actual registration
process. That's _if_ you use a SQL DB for it as opposed to in-memory, key-
value store that persistently writes to disk. Alternatively, doing data at app
layer (eg AllegroCache-style) with a partitioning scheme distributing among a
number of inexpensive nodes. Quite a few things to do before we run into SQL's
problems even if it involves data processing.

~~~
CiPHPerCoder
I'm building a CMS in the same vein as the others (WordPress, etc.) and made
static page caching a first-class feature that bypasses the autoloader
completely.

[https://github.com/paragonie/airship/blob/e24ea5a4605336b171...](https://github.com/paragonie/airship/blob/e24ea5a4605336b17190cefc300660b13c2a9535/src/public/index.php#L30-L55)

This is something that really ought to be baked-in in 2016.

~~~
nickpsecurity
Hey, while you're on, I have a quick question. I've avoided PHP in favor of
more static, safe languages with small TCB's. Early on, I thought about
reimplementing the runtime/libs in one or compiling it to one. Discovered
Quercus PHP on Java system that claimed benefits of both. Had potential given
Java gets constant bughunting and has many implementations.

What do you think of compiling PHP plus libs for app compatibility to
something like Rust, Ada, or Cyclone where possible? And do you know if anyone
has assessed quality/security of Quercus/Resin code in particular? Seems
something like that compatible with WordPress or Airship could be quite a
boost in defense of code injection at system level. Performance, too, as we
saw with HipHop.

~~~
CiPHPerCoder
I think that would make for a very fun research project, especially if a
memory-safe language like Rust were used.

In addition to your examples of Quercus and HHVM, someone is currently working
on compiling PHP to .NET: [http://www.peachpie.io](http://www.peachpie.io)

I'm not aware of any security audits on any of these efforts.

~~~
nickpsecurity
Well darn. I was hoping someone had reviewed them. Good to see positive
feedback on the concept, though. Btw, there's also Phalanger for .NET:

[https://en.wikipedia.org/wiki/Phalanger_%28compiler%29](https://en.wikipedia.org/wiki/Phalanger_%28compiler%29)

Already runs WordPress, phpBB, etc. Anyone doing this sort of thing on .NET
might consider starting with contributions to it. I'm trying to avoid CLR and
JVM due to runtime complexity where possible. Aside from Rust, Go is another
possible target for a simple runtime.

------
nickpsecurity
More realistic worst case scenario is a huge chunk of those 18 year olds
trying to get an account after school. You'd need a tad more than 400 requests
a second to handle it. Even one percent of one percent of them doing it is
7,300 users at once. Maybe request buffering and storage could help while the
main node just does its measily 400 a second.

Then again, 400 a second doesn't sound that fast given what HSM's and
databases do. Maybe this software is just doing something complicated with
each request.

~~~
brokenwren
This is 400 _registrations_ per second not logins. On the test hardware,
Passport can handle 1,000 logins per second. Remember that the server this
test was run on is 10 years old and has crap hardware. Running these tests on
a modern box with new Xeon CPUs and a 2400MHz bus would probably double or
triple those numbers.

~~~
yxhuvud
Scenario: Servers has to be restarted (or crash) during rush hour with 100M
active users.

Even being generous and allowing for 10000 logins per second, it will take
almost 3 hours for everyone to relogin. Oops.

Ok, so that 100M is clearly not viable for services that actually expect a
significant amount of their users to use the service at roughly the same time
(that is - it would clearly not handle Facebook amount of load).

A much more relevant metric would be how many simultaneous sessions you can
handle while being able to claim good service (say, the 99th percentile being
able to login without getting time-outs).

Also, generally speaking, most authentication systems will involve at least a
few server-side writes for logins, meaning the difference to new registrations
shouldn't be all that big in a well designed and compartmentalized system.

Disclaimer: Yeah, I used to work for a company that did authentication servers
for ISPs.

~~~
nickpsecurity
There we go. That a good example of the kind of issue I was talking aboug. A
much more realistic one, too. Of course, we're talking about _registration_
rather than just authentication. Their authentication numbers are probably
much higher and such are easy to HW accelerate.

------
nxzero
Seriously thought this was going to be about getting a 100M users, not load
balancing for them.

~~~
brokenwren
Haha. I wish! That would be awesome, but getting to 100M users is probably 10%
planning/process and 90% luck.

~~~
nxzero
If you define luck as knowing how to do it, sure; otherwise, no, it's not
luck, but not easy.

------
Willson50
Google Cache:
[https://webcache.googleusercontent.com/search?q=cache:aGmxOP...](https://webcache.googleusercontent.com/search?q=cache:aGmxOPfJqhQJ:https://www.inversoft.com/blog/2016/04/19/got-
users-100-million/+&cd=1&hl=en&ct=clnk&gl=us)

------
voidmain1
If I can save time and not have to figure out security, reporting and
everything else, I'm on board!

~~~
robotdan
Agreed, but if I'm a dev - I prefer something free to start with, generally
I'm not going to spend a lot of money when there are free alternatives.

I like how Atlassian does it - they more or less give it away for free for
small companies and then once you can afford it they start charging more.
Unless I can get going for free, probably a non starter.

~~~
brokenwren
Passport is free for up to 50 users. This is enough for most developers to get
started and into production (depending on the use case). Plus, you don't have
to pay more for internal versus external users. Everything is based on the
total number of users in the database, so pricing is simple.

------
ecospace
Awesome company and awesome team!

------
anorwell
400 requests per second.

------
vonklaus
Look, I get it, there aren't a lot of female engineers and saying things like
"you guys" is probably annoying to the few there are.

That said, inserting "she" everywhere just feels disengenuous, and I notice it
everywhere from technical blogs to a16z write ups.

Sure your company is 30% female in all positions (amazing for the industry in
this hypothetical) and you're top tech team is all over it. You're core
engineer, she's digging through mounds of code with only her team of 2, an
african american native inuit, top of her year at stanford, and a trans
person.

I would love to see the industry be attractive to all types. However, you
can't just swap pronouns because it sounds so fake amd disingenuous.
Probabalistically speaking, your engineering team is not 100% women or even
close.

idk, maybe blasphemous or inflammatory, just strikes me as a feeble attempt to
notmalize something that isnt normal...

edit; wow, I apologize I guess? It seems forced to me that the whole industry
changed pronouns (if little else) over night. So I guess I am a misoginist for
actually thinking more equitable demographics would be better than some
language nuance, which just feels forced

edit2: i deleted some comments that basically said the above, but slightly
more rudely. apologies.

~~~
morgante
What exactly is "not normal" about female engineers?

Occasionally using "she" to refer to an unknown person is a welcome relief
from the abundant writing which solely uses the male pronoun. When
documentation uses "he" it doesn't mean engineering teams are 100% male and
using "she" doesn't mean the inverse.

~~~
vonklaus
It isn't normal unfortunately. It's why there is a push for women in tech.
There isn't a top company that is 50/50(i don't believe this has to be the
case accross the board) but using it just feels disingenuous.

Idk, i'm not a femal engineer. Maybe passport was predominently written by
female engineers. If I was a minority in some arena,I suspect I would be
slightly off put if they just pretended I wasn't

~~~
morgante
Why on Earth would it have to be 50/50 for something to be "normal?"

Only about 43% of college students are male. Does that mean it's not normal to
have a male college student?

Please take your casual sexism elsewhere.

------
robotdan
Mo users, mo problems.

~~~
kstra
Truth.

