Re: appsession not working in url (1.3.22, 1.3.24)

Hi,

thanks for the reply Willy + Cyril.

Am 09.04.2010 22:43, schrieb Cyril Bonté:
> Hi,
>
> Le vendredi 9 avril 2010 20:21:24, Willy Tarreau a écrit :

>>> With 1.3.22 and .24 I just get the "manage_server_side_cookies". When I constantly deny the cookie,
>>> the requests are round robbed, while with 1.4.4 they are sticky from the first request on, because
>>> the url appsession lookup in the url is working.
>>
>> Could you please also include a dump of the exchange between the client and
>> haproxy (or even an output of "haproxy -d") ? It is possible that something
>> appears mangled and that we're not thinking about it.
>>
>>> Will this be fixed in 1.3.x or do you suggest to upgrade to 1.4?
>>
>> No, there is no reason to upgrade for something that ought to work. 1.3 is
>> still maintained, so if it is supposed to work and it doesn't, it's a bug
>> and it needs to be fixed. If the fix is too dangerous, we may reconsider
>> this but right now this has not been qualified yet. However, you can use
>> 1.4 as a workaround (or maybe you plan to upgrade for other reasons).

This explains the behaviour, so I guess debugging output (hash table dump) is not required. Is the cookie name in appsession case insensitive? when it's matched in the url?

>
> The only "bug" is that the documentation says it checks the query string, which is not true.
> That's why I added a mode to appsession in one of the 1.4.x patch, which allows to choose between path parameters and the query string.

Will this be backported to 1.3.x or can this patch be safely applied to 1.3? This sounds like a great thing to have in 1.3.

>
> http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=b21570ae0f5024b86b72762a519972fbce5b307e
>
> Now, what I don't understand : why your JSESSIONID parameter is in the query string ? which server do you use to allow that ?
>

That's easily explained: I'm using a very short piece of php and decided to name the variable JSESSIONID. Of course, this might cause some confusion.

Thanks for sharing your experience with cookies, Willy. I can't belive that a site with 2M visitors per day doesn't even has a single security obsessed visitor that turned off cookies completely. I agree on this, it's just a requirement in a project.

> Multiple sticks are supported though right now we can only stick on IP addresses.

Is this something that will be implemented in 1.4 or are you talking about 1.3 vs. 1.4 when you say it's not supported right now?

Is there a place to read about the precedence of the different methods (cookie, appsession, balance)?

Best,

Michael Received on 2010/04/13 15:30