Hi, thanks for the reply Willy + Cyril.
Am 09.04.2010 22:43, schrieb Cyril Bonté: > Hi, > > Le vendredi 9 avril 2010 20:21:24, Willy Tarreau a écrit : >>> With 1.3.22 and .24 I just get the "manage_server_side_cookies". When I >>> constantly deny the cookie, >>> the requests are round robbed, while with 1.4.4 they are sticky from the >>> first request on, because >>> the url appsession lookup in the url is working. >> >> Could you please also include a dump of the exchange between the client and >> haproxy (or even an output of "haproxy -d") ? It is possible that something >> appears mangled and that we're not thinking about it. >> >>> Will this be fixed in 1.3.x or do you suggest to upgrade to 1.4? >> >> No, there is no reason to upgrade for something that ought to work. 1.3 is >> still maintained, so if it is supposed to work and it doesn't, it's a bug >> and it needs to be fixed. If the fix is too dangerous, we may reconsider >> this but right now this has not been qualified yet. However, you can use >> 1.4 as a workaround (or maybe you plan to upgrade for other reasons). > > Well, no this is not really a bug. > HAProxy 1.3.x only parses the path parameters, behind a semicolon (and only > the first one), > like http://test/cookie.php;jsessionid=xxxxx?querystring This explains the behaviour, so I guess debugging output (hash table dump) is not required. Is the cookie name in appsession case insensitive? when it's matched in the url? > > The only "bug" is that the documentation says it checks the query string, > which is not true. > That's why I added a mode to appsession in one of the 1.4.x patch, which > allows to choose between path parameters and the query string. Will this be backported to 1.3.x or can this patch be safely applied to 1.3? This sounds like a great thing to have in 1.3. > > http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=b21570ae0f5024b86b72762a519972fbce5b307e > > Now, what I don't understand : why your JSESSIONID parameter is in the query > string ? which server do you use to allow that ? > That's easily explained: I'm using a very short piece of php and decided to name the variable JSESSIONID. Of course, this might cause some confusion. Thanks for sharing your experience with cookies, Willy. I can't belive that a site with 2M visitors per day doesn't even has a single security obsessed visitor that turned off cookies completely. I agree on this, it's just a requirement in a project. > Multiple sticks are supported though right now we can only stick on IP > addresses. Is this something that will be implemented in 1.4 or are you talking about 1.3 vs. 1.4 when you say it's not supported right now? Is there a place to read about the precedence of the different methods (cookie, appsession, balance)? Best, Michael
