Hi Willy, I've a question about how we should configure HAProxy to support the session cookies in our environment. Apologies if you've answered this already, but I couldn't find it in the forums etc. if so!
Our setup is that we have multiple backends to which a single frontend directs request, using path-based ACLs. For example, two URLs a client might use to access our backend via haproxy would be: http://haproxyserver:12345/appName1/someRequest http://haproxyserver:12345/appName2/someRequest "appName1" and "appName2" will evaluate to different backends. These backends may be on different server clusters. In many cases, our applications use the same session cookie - "JSESSIONID". The problem occurs when a client tries to simultaneously access two such applications via HAProxy (using a single browser instance), and where those two different applications are on different backend clusters. The browser is trying to associate the two different "JSESSIONID" cookies from the applications/backends with a single site name of "haproxyserver", and therefore both cookie values (and hence both sessions) cannot be maintained simultaneously. Obviously, we wouldn't have this problem if either the applications used different session cookie names, or if they applied a cookie-path value as well - but they don't, and it's not easy for us to change them! The problem would also not occur if the clients used separate browser process instances for the different applications - however this is also not easy to enforce, as many of our users are accessing applications via a thick-client application which uses a single browser process to render all HTTP requests. Is there anything we can do in our HAProxy configuration to avoid this scenario - for example rewrite/prefix the cookie name (as opposed to value) or insertion of a cookie path? Thanks very much. Regards, Adrian ********************************************************************* Please note that Revenue cannot guarantee that any personal and sensitive data, sent in plain text via standard email, is fully secure. Customers who choose to use this channel are deemed to have accepted any risk involved. The alternative communication methods offered by Revenue include standard post and the option to register for our (encrypted) secure email service. http://www.revenue.ie/en/online/secure-email.html *********************************************************************

