Hi Cyril,
On Tue, Apr 06, 2010 at 12:19:29AM +0200, Cyril Bonté wrote:
> Hi Aleksandar and Willy,
> While working on "ignore-persist" (as discussed in another thread), I met a
> strange behaviour with appsession.
>
> I firstly thought this was a regression due to one of my previous patch but
> after testing with a 1.3.15.12 version, I also could reproduce it.
>
> To illustrate, the configuration contains :
> appsession PHPSESSID len 32 timeout 1h
>
> Then I call a short PHP script containing :
> setcookie("P", "should not match")
>
> When calling this script thru haproxy, the cookie "P" matches the appsession
> rule :
> Dumping hashtable 0x11f05c8
> table[1572]: should+not+match
>
> Shouldn't it be ignored ?
yes it should.
> If you confirm, I'll send a patch for 1.3 and 1.4 branches to check that the
> cookie length is equal to the appsession name length.
>From my memory, it is also accepted that the cookie is *at least* as long
as the appsession name length (eg: for ASPSESSIONIDXXX=YYY).
I suspect there is a wrong length computation somewhere, it's a common
mistake to take len=MIN(found,configured) and match on that.
Thanks,
Willy
