Re: Expire Cookies ??

From: Willy Tarreau <w#1wt.eu>
Date: Fri, 1 Apr 2011 07:53:52 +0200


Hi Joel,

On Thu, Mar 31, 2011 at 12:29:27PM -0700, Joel Krauska wrote:
> It would be nice to be able to set an expiration timer on server
> persistence cookies set by HAProxy.
>
> A'la:
> http://en.wikipedia.org/wiki/HTTP_cookie#Expires_and_Max-Age
>
> From what I can tell HAProxy is not setting an expires window for cookies.
>
> Is this a feature that I just can't find in the documentation?

We have a different method for fixing expiration. Check the "cookie" settings "maxidle" and "maxlife", which respectively allow you to tell how long an idle period can be for a cookie to be reused, and how long it can be used at all, regardless of activity.

We must not use the cookie's expire parameter because that turns the cookie into persistent mode on the browser (the browser stores it, it's not a session cookie anymore). Much more people block those than session cookies because they're mainly used for tracking. Additionally, there some large sites who could not make use of them at all because in their end user agreement rules, they promise not to store anything on their users' PC, which is incompatible with this model.

In the end, the way we do it makes it better because haproxy still receives the cookie and can make decisions and emit logs about its status. That way you know if your timeouts affect too many people for instance, and you can change a cookie's expiration parameters at any time.

Regards,
Willy Received on 2011/04/01 07:53

This archive was generated by hypermail 2.2.0 : 2011/04/01 08:00 CEST