Hello,

We have just installed the latest version of pound (2.0.1) in front of
an application we have been using for over 2 years now.  Today is the
first day we added any significant load to the server and we have seen
several times where the user is logged out of the application very
randomly.  It is not easy to reproduce, but if you use the application
long enough, it will happen.  We have not seen this until today.   The
application relies on a cookie to keep the user logged in, and my
guess is that this cookie is disappearing.  The backend is a set of 4
servers that use a central memcached machine to store session
information.  Before pound, we used a simple load-balancer to balance
traffic between the four servers and never had any problems.  Our
application does not rely on users being tied down to a particular
backend, since the session info is stored in a centralized location. 
My config is pretty basic, we do use the AddHeader statement to ensure
the backend knows which hits are SSL and which hits are non-SSL, so I
was speculating that maybe when pound added the header the other
headers may become corrupt in some cases.  I'm was wondering if anyone
else has ever seen this or had any ideas on how to debug further.

Kevin

Kevin,

I have exactly the same problem at our site using pound 1.9.4! We also add a 
header from Pound to tell the webservers they are running behind pound on 
SSL and users randomly lose their sessions. The strange thing is that when 
we have pound use only 1 backend server for each subdomain (not really load 
balancing anymore) everything seems to work fine.

I haven't gotten around to test it further, so I can't really be of any help 
yet, but hopefully someone from apsis might take notice since both of us are 
experiencing the same thing.

Siggi

----- Original Message ----- 
From: "Kevin Minnick" <kwminnick(at)gmail.com>
To: <pound(at)apsis.ch>
Sent: Friday, February 10, 2006 10:15 PM
Subject: [Pound Mailing List] Cookie Disappearing

[...]

On 2/13/06, Siggi Oskarsson <siggi(at)junesystems.com> wrote:[...]

If I use Pound sessions to tie users to a specific backend, I think
the problem is reduced but I know it still exists.  It was suggested
that I use tcpwatch to examine the data going back and forth, but it
works fine 99% of the time and we have too much traffic to examine all
of this data.  I'm going to try turn pound on again tomorrow with
these options additional options in hopes it might help:

Change30x 0
NoHTTPS11 1

Kevin
[...]

On 2/13/06, Kevin Minnick <kwminnick(at)gmail.com> wrote:[...]
Just wanted everyone to know that we have found the problem.  I would
like to proudly admit that I was wrong in thinking there was a bug in
pound, in fact, pound just exposed a problem that existed in our
application.  It turns out that we were generating session id's partly
based on the remote IP address.  And since all hits come from the same
IP when you use pound in front of the backends, there was a good
chance that if two people generated a session id at the same time it
would generate an identical session id.  Since fixing our code and
turning pound back on we have not seen any problems.

After we finish rolling out pound to all of our websites I will post
the performance results, we have a lot of traffic so the numbers
should be interesting.

Kevin

On Thu, 2006-02-16 at 09:47 -0500, Kevin Minnick wrote:[...]

Many thanks for the information - it's good to know we don't have to
hunt for it.

Looking forward to seeing your results.[...]