Hi Willy,

I've a question about how we should configure HAProxy to support the session 
cookies in our environment. Apologies if you've answered this already, but I 
couldn't find it in the forums etc. if so!

Our setup is that we have multiple backends to which a single frontend directs 
request, using path-based ACLs. For example, two URLs a client might use to 
access our backend via haproxy would be:

http://haproxyserver:12345/appName1/someRequest

http://haproxyserver:12345/appName2/someRequest

"appName1" and "appName2" will evaluate to different backends. These backends 
may be on different server clusters.

In many cases, our applications use the same session cookie - "JSESSIONID". The 
problem occurs when a client tries to simultaneously access two such 
applications via HAProxy (using a single browser instance), and where those two 
different applications are on different backend clusters. The browser is trying 
to associate the two different "JSESSIONID" cookies from the 
applications/backends with a single site name of "haproxyserver", and therefore 
both cookie values (and hence both sessions) cannot be maintained 
simultaneously.

Obviously, we wouldn't have this problem if either the applications used 
different session cookie names, or if they applied a cookie-path value as well 
- but they don't, and it's not easy for us to change them! The problem would 
also not occur if the clients used separate browser process instances for the 
different applications - however this is also not easy to enforce, as many of 
our users are accessing applications via a thick-client application which uses 
a single browser process to render all HTTP requests.

Is there anything we can do in our HAProxy configuration to avoid this scenario 
- for example rewrite/prefix the cookie name (as opposed to value) or insertion 
of a cookie path? Thanks very much.

Regards,

Adrian


*********************************************************************

Please note that Revenue cannot guarantee that any personal 
and sensitive data, sent in plain text via standard email, 
is fully secure. Customers who choose to use this channel 
are deemed to have accepted any risk involved. The alternative 
communication methods offered by Revenue include standard post 
and the option to register for our (encrypted) secure email service.
http://www.revenue.ie/en/online/secure-email.html

*********************************************************************

Reply via email to