Re: Cookie Timeouts

From: Willy Tarreau <>
Date: Wed, 16 Jan 2008 11:51:22 +0100

Hi Dan,

On Tue, Jan 15, 2008 at 04:27:24PM -0700, Dan Zubey wrote:
> > I don't get it. That's precisely the purpose of server cookies, they are
> > used to provide persistence, which means that the same user will remain
> > on the same server as long as it does not close its browser. What are
> > you trying to achieve precisely ?
> Well, the problem is each one of our sessions may vary in length
> depending on how long each student spends doing his homework.
> With WRR balancing, each application instance receives exactly the same
> number of users as the load increases. However, since the students log
> off at different times, we end up with non-balanced servers near
> noontime. The decreasing load, in our case, is not even.

So that means that you have a small number of students and that statistical distribution does not work ? I mean, if you have thousands of students, there is no reason why mostly those logged on one server would logout, and less for other servers.

> My idea was to tell an idle client that his cookie was no longer valid
> after a timeout, and force him to re-log in. That will take care of a
> case where open browsers stay permanently glued to one app.

I understand now what you're trying to do. But this will annoy all the users which will have to re-log in after some time. Also, the problem with expirable cookies is that they are stored (to the best of my knowledge). I don't know how to set expirable session cookies. Another problem with this is that if haproxy returns expirable cookies, it implies that it has a correct date and that user's client too. That generally works well with sites which assign such cookies for tracking purposes because the expiration dates are quite far in the future, but if you want to expire a cookie just a few hours in the future, it is more problematic (eg, some users or your server may not respect DST).

> (The best bet is to get people to close browsers when they're finished,
> but that's like pulling teeth with some teachers.)

I don't see why they would have to close their browser if they don't use it. Or maybe your applications produces sort of frequent automatic reloads causing permanent activity ?

> This is also why I was bothering you (I do apologize, btw) about
> least-connection-first balancing.

Yes I see but in this case it will not work. Least conn will work with *active* connections. There is no way for the proxy to know how many people are *logged* on the application server.

Willy Received on 2008/01/16 11:51

This archive was generated by hypermail 2.2.0 : 2008/01/16 12:15 CET