Le mardi 6 avril 2010 06:49:32, Willy Tarreau a écrit : > From my memory, it is also accepted that the cookie is *at least* as long > as the appsession name length (eg: for ASPSESSIONIDXXX=YYY).
Oh ok, with that last bug I understand why you already told me that some monthes ago ! ASPSESSIONIDXXX=YYY is not accepted in the 1.3 branch, this is why I added the "prefix" keyword to be able to get the value "XXX=YYY" in the 1.4 branch. From what you just said, I guess the code should detect a cookie named "ASPSESSIONIDXXX" and get the value "YYY". > I suspect there is a wrong length computation somewhere, it's a common > mistake to take len=MIN(found,configured) and match on that. This is due to the comparison length, where the cookie length is took into account instead of the appsession name length. Using the appsession name length would allow ASPSESSIONIDXXX (+ check that memcmp won't go after the buffer size). Well, to finalize the patch, what do you prefer ? accept ASPSESSIONIDXXX (which didn't work) or strictly detect ASPSESSIONID ? -- Cyril Bonté
