Session are not stiky when cookie content size > KEY

Hi,

when session cookie is longer than KEY_SIZE (63 char) the session is not 
stiky any more, even with cookies content that doesn't not start with 
the same substring.

As far as I understand this is due to a bug in svn.c the key size return 
by get_HEADER can be KEY_SIZE + 1 long, while sess_add do a strncpy of 
KEY_SIZE without the ending '\0', this prevent sess_find to return an 
existing session as it uses strcmp.

I have fixed the problem in a production site using a longer KEY_SIZE 
but I think the correct patch is to use a strncpy(res->key, key, 
KEY_SIZE+1) in sess_add.

Unfortunately I am not able to test this patch.

Thanks for this great software.

ben

PS: I use latest pound version 2.2.1

Re: [Pound Mailing List] Session are not stiky when cookie content size > KEY_SIZE
Maurice Yarrow <yarrow(at)best.com>

2007-01-12 15:51:04

[ FULL ]

Hello Ben

Would you care to make your svn.c patch (ver.2.2.1) available to the
community ?

Maurice


ben wrote:
[...]

RE: [Pound Mailing List] Session are not stiky when cookie content size > KEY_SIZE
"Joe Gooch" <mrwizard(at)k12system.com>

2007-01-16 16:45:05

[ FULL ]

> -----Original Message-----[...]
content[...]
not[...]
return[...]

The sizes look fine.  They each do a strncpy of KEY_SIZE.  It's just
that get_HEADER does an explicit null termination.

The problem is that the SESS structure isn't initialized with \0's
before writing.  It looks like this was fixed in v2.2.2.  (In addition
to making KEY_SIZE 127)

Joe Gooch
K12 Systems, Inc.