On Son 18.10.2009 12:46, Cyril Bonté wrote:
Le dimanche 18 octobre 2009 12:05:55, Willy Tarreau a écrit :
Cyril, I have merged your two patches.
Thanks ! I'm thinking of working on a second patch.
The documentation says that appsession looks for the session in the
query string but this is not really the case. Currently, it parses the
first path parameter (followed by ';').
I would like to add an option to decide if appsession parses path
parameters (not only the first one) or the query string parameters so
it can work for URLs like "http://website/path?PHPSESSID=" for example.
Our need was to catch the jsessionid which comes before the query
string and was delimited with '!' => Bea Weblogic Cookie.
I have thought to change this but things changes ;-(
The idea was:
1.) appsession per server, if necessary
2.) add delimiter, to be able to be more flexible ;-)
3.) tell the engine where to search for the session, path || query
ATTENTION: What happen when the query string is very long
=> Performance, Security, ...
4.) add to stat page the appsession to see how much we already have
5.) add to stat page how often (request_count) and how long a appsession
Reason: tune the application setup for the session timeout. Maybe
this could be also interesting for the 'normal' cookies ;-)
6.) add the appsession hash dump into the sig_dump_state().
BTW: does the SIGHUP is moved to reload the config or will it stay to
dump the states? Afaik the most server use HUP for reload.
You see there was a lot todos and ideas.
I'am happy that anybody have pickedup this feature, thanks Cyril.