I'm happy with the latest change to get_cookie but there is one more problem I've found.

We, UF, have a convention of putting production services at http://service.ufl.edu/ and testing beta services at http://test.service.ufl.edu/ .

This causes a problem with cookie based session tracking which I partly blame on the cookie spec. The problem is the http://service.ufl.edu/ JSESSIONID cookie is made available to the http://test.service.ufl.edu/ webapp. What happens is mod_jk takes the first JSESSIONID cookie and uses that for picking the jvmroute. Since the lb clusters in our test.service setups are smaller it's not possible for all the jvmroutes from the production to map to the test jvmroutes. In this case it's random where mod_jk sends the request and users can't get past the login page since their requests aren't being sent to the right clone.

What mod_jk should do is check all JSESSIONID cookies for a known jvmroute and use one that matches instead of just using the first one. (I believe I checked the source to Tomcat 5.something and it did the right thing in the case of many JSESSIONID cookies, so that part is fine.)

The problem comes from the cookie spec http://wp.netscape.com/newsref/std/cookie_spec.html stating that "When sending cookies to a server, all cookies with a more specific path mapping should be sent before cookies with less specific path mappings." but it's silent on the order of cookies when it comes to more specific domains. It seems Mozilla orders cookies based on the domain but IE doesn't. Sadly, most users use IE.

Sandy McArthur

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to