RE: appsession fix

Thanks for the response. I didn't know about the url_param method until you mentioned it. Unfortunately, it won't work for us because our sessions are not replicated. What we really need is sticky sessions that can pull the session from the URL when necessary. We are working around the Flash FileReference cookie bug.

Thanks,
Ryan

-----Original Message-----
From: Aleksandar Lazic [mailto:al-haproxy#none.at] Sent: Thursday, February 14, 2008 3:01 PM To: haproxy#formilux.org
Subject: Re: appsession fix

Hi all ;-),

On Don 14.02.2008 22:09, Willy Tarreau wrote:
>
>On Thu, Feb 14, 2008 at 01:05:17PM -0700, Ryan Warnick wrote:
>> We would like to be able to use any query parameter that we want
>> (without out it having to start with a ;).
>
>OK I see now. IIRC, the semi-colon was selected because of common use
>on existing applications (Aleks correct me if I'm wrong). The
>semi-colon was not the start of the parameter name, but used as a
>separator between previous parameter and the one we care about. I think
>that we should just check that the parameter is either at the beginning
>of the query string, or preceeded by a non-alphanum (nor any of '_',
>'-' and a few other ones).

You are absolute right ;-)

As described in http://gbiv.com/protocols/uri/rfc/rfc3986.html the ; is a valid value in the uri.

The most 'current' application servers use the '...;$PART?' $PART to add a session id if the user have disabled cookies.

That is also the reason for the following code:

---haproxy-1.3.14.2/src/proto_http.c:get_srv_from_appsession() .
.
(request_line = memchr(begin, ';', len)) == NULL .
.

        /* skip ';' */
        request_line++;
.

---

Why do you don't use the url_param methode?!

--- from haproxy-1.3.14.2/doc/haproxy-en.txt
Version 1.3.14 introduced the "balance url_param" method.
---

Maybe it will be a good idea to add a hook for the appsession into to
url_param methode, if it possible?!

Which application is this, a self developed one or a commercial, yust
for my curiosity, if you allowed to say.



>> Also, thanks for your critique of our proposed change.  You are

>> absolutely right, we should use something like memmem instead.

>

>I'm just realizing that since the cookie name is fix and checked for

>every request, it may make sense to use a boyer-moore search method,

>and construct the table at configuration time. That way, the longer the

>cookie, the faster the scan. And with an average size around 10 chars

>(JSESSIONID, ...), it would make parsing 10 times faster.


As http://www.stedee.id.au/awffull does ;-)

---from ChangeLog
27-Jan-2006     Steve McInerney <spm#stedee.id.au>
awffull-3.3.1-beta1.tar.gz
.
.
.
         * Implement Boyer-Moore-Horspool for pattern matching (vs strstr).
             Approx. 50% faster overall from 3.02, depending on the GroupXXX
             complexity!
.
.
.
---

Steve and I talked about some algorithms and we agreed this was the
'best fit' algorithms for us ;-)

As you remember Willy, some times ago we talk about search algorithms
and http-parsing ;-)

Cheers

Aleks



__________ NOD32 2873 (20080213) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com