[web-devel] ANNOUNCE: clientsession- (performance enhancement)

Michael Snoyman michael at snoyman.com
Sun Nov 27 05:27:16 CET 2011

Hi all,

tl;dr: randomIV is now much faster, API is the same, upgrade ASAP to
avoid painful slowdowns.

Version 0.7 of clientsession brought with it a much enhanced
encryption and hashing algorithm, courtesy of Felipe Lessa. Beginning
with this version, you now need to provide an Initialization Vector
(IV) for encrypting cookies, and these IVs need to be randomly
generated. To start off with, we simply used the getIVIO[1] function
to generate these values.

Recently, some Yesod users reported that version 0.9 of Yesod no
longer lived up to previous benchmarks. After some research, I
determined that the slowdown came from the call to randomIV in
clientsession. The initial fix was simply to disable this call when it
wasn't used, but it was still a significant slowdown for most users of
Yesod. Over the past few days, Felipe and I put together a
significantly more efficient version of randomIV. getIVIO simply opens
up /dev/urandom on each request, which involves I/O. As a result, the
average run time of the function in our testing was 1.686ms.

Instead, our new code initializes with a call to /dev/urandom for the
base randomness. It then uses AES encryption to work as a
cryptographic random number generator for generating successive IVs.
Additionally, every 1000 calls (we'll probably change that number over
time), it spawns a new thread to reseed the generator from
/dev/urandom again. The result is a function that takes 7.144764 us,
aka 236 times faster.

Thanks for the initial reporters who commented on the slowdown in
Yesod. If you install the newest clientsession and rerun the
benchmarks, you should see *significantly* better results.


[1] http://hackage.haskell.org/packages/archive/crypto-api/0.8/doc/html/Crypto-Modes.html#v:getIVIO

More information about the web-devel mailing list