Re: strange behaviour with appsession

From: Willy Tarreau <w#1wt.eu>
Date: Tue, 6 Apr 2010 20:50:50 +0200


On Tue, Apr 06, 2010 at 08:34:54PM +0200, Cyril Bonté wrote:
> Le mardi 6 avril 2010 06:49:32, Willy Tarreau a écrit :
> > From my memory, it is also accepted that the cookie is *at least* as long
> > as the appsession name length (eg: for ASPSESSIONIDXXX=YYY).
>
> Oh ok, with that last bug I understand why you already told me that some monthes ago !
> ASPSESSIONIDXXX=YYY is not accepted in the 1.3 branch, this is why I added the "prefix" keyword to be able to get the value "XXX=YYY" in the 1.4 branch.

Hmmm I remember that now.

> From what you just said, I guess the code should detect a cookie named "ASPSESSIONIDXXX" and get the value "YYY".
>
> > I suspect there is a wrong length computation somewhere, it's a common
> > mistake to take len=MIN(found,configured) and match on that.
>
> This is due to the comparison length, where the cookie length is took into account instead of the appsession name length.
> Using the appsession name length would allow ASPSESSIONIDXXX (+ check that memcmp won't go after the buffer size).
>
> Well, to finalize the patch, what do you prefer ? accept ASPSESSIONIDXXX (which didn't work) or strictly detect ASPSESSIONID ?

I don't want to do important changes in 1.3, so I'd rather have the length correctly checked and ensure that we don't suddenly see the appsession code work differently, or it will scare users away.

However for 1.4, I'd prefer that the code does what the config states. That means correct length check while keeping support your prefix patch.

I don't know if my explanations are clear, otherwise please ask again :-)

Regards,
Willy Received on 2010/04/06 20:50

This archive was generated by hypermail 2.2.0 : 2010/04/06 21:00 CEST