Dear list,

I'm trying to make Pound track EJB sessions. There appear
a number of problems that are listed below.

1. Session tag (jsessionid) may appear either as a cookie
or as a part of the URL (in case the client doesn't support cookies).
This problem could theoretically be defeated by using two URL groups:
--
UrlGroup ".*jsessionid=.*"
Session URL jsessionid
EndGroup
UrlGroup ".*"
Session COOKIE jsessionid
EndGroup
--
and by the look of the svc.c::get_key() it shouldn't be very
difficult to make it use both Cookie and Url sessions.

2. Jsessionid appears in the URL as a part of the URL itself,
not as a query parameter:
http://server/file.html;jsessionid=abc?param=value
and so Pound happily ignores it. This is easily fixed in the
config.c:582:
- snprintf(pat, MAXBUF - 1, "[?&]%s=([^&]*)", lin + matches[1].rm_so);
+ snprintf(pat, MAXBUF - 1, "[?&;]%s=([^&?]*)", lin +
matches[1].rm_so);

3. Now for the tough part, given the following scenario:

client -> pound -> server1: GET /index.html
server1 -> pound -> client: Set-Cookie: jsessionid=abc

client -> pound: GET /index.html, Cookie: jsessionid=abc
... pound binds jsessionid=abc to server2 ...
client -> pound -> server2: GET /index.html, Cookie: jsessionid=abc
server2 -> pound -> client: Invalid session id <---- PROBLEM

So, the problem is that session id is generated by one server, is
set and returned to the client in the _response_, not the _request_.
Next time the client sends a request with that session id, Pound can
redirect it to another server which has no idea about that session.

Am I missing something obvious ? Does anybody use Pound in front
of ejb ? Is there any way Pound can assign the session based on
the response ? Any ideas ?

Sincerely,
Dmitry Dvoinikov
http://www.targeted.org/

On Thursday 07 April 2005 07:38, Dmitry Dvoinikov wrote:[...]

Not really - as long as it's one or the other...
[...]

This is unusual, to say the least. I can also assure you this is not EJB but 
application dependent.

I must admit I never saw the URL segment part used as an extra parameter. Has 
anybody else seen anything like it?
[...]

No. Pound knows to look for the cookie (or parameter) in the response and to 
set the session accordingly. Look in http.c in the part that deals with the 
response for the code that does that.
[...]
[...]

>> and by the look of the svc.c::get_key() it shouldn't be very[...]
[...]

I meant - patch either so that it acts like both. Semantics would
be broken, right you are.
[...]
[...]
[...]

I thought it was the designed way, quote from Java Servlet Specification 2.4:

--
SRV.7.1.3 URL Rewriting
URL rewriting is the lowest common denominator of session tracking. When a
client will not accept a cookie, URL rewriting may be used by the server as the
basis
for session tracking. URL rewriting involves adding data, a session ID, to the
URL
path that is interpreted by the container to associate the request with a
session.
The session ID must be encoded as a path parameter in the URL string. The
name of the parameter must be jsessionid. Here is an example of a URL
containing encoded path information:
http://www.myserver.com/catalog/index.html;jsessionid=1234
--

Upon your note, I googled for allinurl:jsessionid, and yes, there is a lot
of URLs where jsessionid is a URL parameter, but there also are such
where it is a "path parameter" (sounds weird for me either).
[...]
[...]

Great, will look into that. Thank you.

Sincerely,
Dmitry Dvoinikov
http://www.targeted.org/