Re: [PATCH] Allow to specify a domain for a cookie

From: Willy Tarreau <w#1wt.eu>
Date: Sun, 25 May 2008 10:18:56 +0200


Hi Krzysztof !

On Fri, May 23, 2008 at 11:59:12PM +0200, Krzysztof Oledzki wrote:
> >From 9c1f6f13fd0519cdef68bb5c9bf62a10a178dad6 Mon Sep 17 00:00:00 2001
> From: Krzysztof Piotr Oledzki <ole#ans.pl>
> Date: Fri, 23 May 2008 23:49:32 +0200
> Subject: [MINOR] Allow to specify a domain for a cookie
>
> This patch allows to specify a domain used when inserting a cookie
> providing a session stickiness. Usefull for example with wildcard domains.

Cool, very nice, and I must say that I recently expressed the same need. One customer also suggested that we add the ability to set an Expires value to the persistence cookie. I explained that it would turn the cookies into stored cookies, but the proposed idea was that it is useful precisely when application sets stored cookies. He wanted to cover the risk that a client bound to a failed server can never reconnect to another server without closing the browser.

The discussion turned to two possibilities (not exclusive) :

I must say that I find the second option particularly interesting, as we could say that we insert a persistence cookie only when the server sets session cookie X, and that we use the same attributes (expires, domain, path, ...). We could also flush the cookie when the server does the same. It would provide about the same features as the prefix mode cookie, but without touching the existing one.

I'd be interested in users' opinion on such a feature.

> The patch adds one new variable to the struct proxy: cookiedomain.
> When set the domain is appended to a Set-Cookie header.
>
> Domain name is validated using the new invalid_domainchar() function.
> It is basically invalid_char() limited to [A-Za-z0-9_.-]. Yes, the test
> is too trivial and does not cover all wrong situations, but the main
> purpose is to detect most common mistakes, not intentional abuses.

OK, that makes sense.

> The underscore ("_") character is not RFC-valid but as it is
> often (mis)used so I decided to allow it.

OK for this too. Have you found situations where people try to use these chars, since they cannot put them in DNS records ? Maybe when they map windows server names into /etc/hosts ?

BTW, I've applied your patch, thanks!
Willy Received on 2008/05/25 10:18

This archive was generated by hypermail 2.2.0 : 2008/05/25 10:30 CEST