Implementing a scalable and high-performing web app

Question

I have asked a few questions on here before about various things relating to this but this is more of a consolidation question as I would like to check I have got the gist of everything.

I am in the middle of developing a social media web app and although I have a lot of experience coding in Java and in PHP I am trying things a bit different this time. I have modularised each component of the application. So for example one component of the application allows users to private message each other and I have split this off into its own private messaging service. I have also created a user data service the purpose of which is to return data about the user for example their name, address, age etc etc from the database. Their is also another service, the friends service, which will work off the neo4j database to create a social graph. My reason for doing all this is to allow me up to update seperate modules when I need to - so while they mostly all run off MySQL right now I could move one to Cassandra later if I thought it approriate.

The actual code of the web app is really just used for the final construction. The modules behind it dont really follow any strict REST or SOAP protocol. Basically each method on our API is turned into a PHP procedural script. This then may make calls to other back-end code which tends to be OO. The web app makes CURL requests to these pages and POSTs data to them or GETs data from them. These pages then return JSON where data is required.

I'm still a little mixed up about how I actually identify which user is logged in at that moment. Do I just use sessions for that? Like if we called the get-messages.php script which equates to the getMessages() method for that user - returning all the private messages for that user - how would the back-end code know which user it is as posting the users ID to the script would not be secure. Anyone could do that and get all the messages. So I thought I would use sessions for it. Am I correct on this?

Can anyone spot any other problems with what I am doing here?

Thanks

Answer 1

For me it looks like there will be a lot of overhead in communicating between the various components.

Making POST/GET requests and encoding and decoding JSON several times per page view will be quite expensive

Answer 2

Do I just use sessions [to identify logged in users]?

Yes, normally the current user id would be put in the session. However, in order to get a list of logged in users you would also need to store the currently logged in users in the database and update that as people login/out and when sessions are destroyed.

Can anyone spot any other problems with what I am doing here?

Only to question why are you using PHP as a wrapper to the Java backend? Why not use the web-facing bits of the Java stack as well e.g. JSF?

Answer 3

What you're creating sounds a lot like any other REST interface, such as the Twitter API. In that case, you might consider looking at how those APIs handle user sessions.

Typically there is some sort of handshake process that gives the client a user token, and the client uses that token to get data from the API so long as that session is active.

So in this case you'd have to develop the interface for generating a user token and have then have the backend manage those sessions. For your various interfaces like get-messages.php you'd probably take something like $userToken as a $_GET or $_POST variable and validate it against your database of active user sessions.