Hi Aleks,
On Tue, Dec 08, 2015 at 11:35:20PM +0100, Aleksandar Lazic wrote:
> Hi.
>
> Am 08-12-2015 11:23, schrieb Thierry FOURNIER:
> >Hi,
> >
> >I agree with you, but in HAProxy, the ';' is considered as parameter
> >delimiter. Its hardcoded, and I don't known the reason.
>
> There are several reasons for the ';' to be a separator similar like
> '&'.
>
> http://www.skorks.com/2010/05/what-every-developer-should-know-about-urls/
> http://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
>
> As far as I remember almost every Appserver add a ';....session=....' to
> the URL when the server detects that the client does not accept cookies.
>
> http://javarevisited.blogspot.co.at/2012/08/what-is-jsessionid-in-j2ee-web.html
> http://www.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid
> http://www.programmerinterview.com/index.php/php-questions/can-sessions-work-without-cookies/
Thanks for the links. Indeed it's again caused by not every application
agreeing on the delimiter to use there. I remember we had this discussion
10 years ago when you needed to support ';' as a delimitor for the
appsession cookie because you were already seeing a lot of applications
using it.
The root of the problem stems to the fact that no spec has ever recommended
to send the semi-colon %-encoded when it designates a character part of a
string. Here if the URL was constructed as "word1%3B+word2" there wouldn't
be any issue.
We could imagine having an optional third parameter to urlp to indicate
what only delimiter we support. But that would become a real mess for
users to properly configure :-(
Laurent, I think until we find a better solution, one possibility would
be to first re-encode the ';' in the query string :
http-request set-query %[query,regsub(;,%3B,g)]
Then you'll be safe.
Regards,
Willy
