Re: Small patch for the "appsession" feature

From: Cyril Bonté <>
Date: Mon, 2 Nov 2009 21:06:46 +0100

Le lundi 2 novembre 2009 12:09:43, Willy Tarreau a écrit :
> > * it adds a verification on the '=' char :
> > currently (with appsession JSESSIONID for example), an URL like http://<haproxy>/path;jsessionidfake=0123... matches the session id "ake=0123..."
> > => with the patch, jsessionidfake won't be recognized.
> I think we must not do this, because one of the reasons for not
> checking the equal sign was because of people who have to use IIS
> with its ASPSESSION cookies.

Interesting to know about this ASPSESSION cookies, I'm not an IIS user.

> The end of the cookie name is part of the value.

Ok, note that the only modification I made is for the url part, not for the cookie. So maybe this is not a problem. After some searches, I've seen that IIS does'nt support natively cookieless persistance : it needs an ISAPI filter to do so (named Cookie munge). I've read this filter sources and it looks like the URL part for ASPSESSIONIDxxxx is "-ASP=" (without the left side value), which doesn't start with the semi-colon awaited by the appsession code. Maybe I'm wrong, I'm really not an ASP developper and the information I found are maybe outdated (it concerned IIS 4.0/5.0).

> So it's important that we can check cookie prefixes.

Sorry but I can't see in the haproxy sources how the cookie prefix can be used for appsession. "capture cookie" allows to find this cookie prefix but it seems there's no code to then use it in appsession. If it's the case, I can work on it these next days, if you want.

> However, please avoid variable declaration in the middle of the
> code such as below, this is not compatible with compilers before
> gcc version 3.0.
> > @@ -4080,7 +4080,11 @@
> > /* first, let's see if the cookie is our appcookie*/
> >
> > /* Cool... it's the right one */
> > - manage_client_side_appsession(t, p3);
> > + int value_len = p4 - p3;
> > + if (value_len > t->be->appsession_len) {
> > + value_len = t->be->appsession_len;
> > + }
> > + manage_client_side_appsession(t, p3, value_len);

Oops, I missed it :)

Cyril Bonté
Received on 2009/11/02 21:06

This archive was generated by hypermail 2.2.0 : 2009/11/02 21:15 CET