Line 220 of config.c from v1.7 is matches a session IP value as
"^[ \t]*Session[ \t]+IP[ \t]+([0-9-][0-9]*)[ \t]*$".

Why accept hyphens?  What's the purpose of negative time values?
[...]

On Thursday 03 June 2004 22.11, Paul Chvostek wrote:[...]

If the time is positive a session is kept for that long (number of seconds). 
The client IP address is the session key. This works exactly like the cookie 
or id based sessions.

If the value is negative Pound uses "sticky" sessions: a client IP address is 
always mapped (hashed) to the the same back-end. See get_be() in svc.c for 
details.

I appreciate your going over the code with a fine comb - keep up the good work 
and let us know whatever else you find.[...]