|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2007
/
2007-01
/
Session are not stiky when cookie content size > KEY_SIZE
[
https redirection / "Carl Sajjan" ... ]
[
Pound2.2.1. Data are canceld during communication ... ]
Session are not stiky when cookie content size > KEY_SIZE
ben <bdelbosc(at)nuxeo.com> |
2007-01-12 09:20:42 |
[ SNIP ]
|
Hi,
when session cookie is longer than KEY_SIZE (63 char) the session is not
stiky any more, even with cookies content that doesn't not start with
the same substring.
As far as I understand this is due to a bug in svn.c the key size return
by get_HEADER can be KEY_SIZE + 1 long, while sess_add do a strncpy of
KEY_SIZE without the ending '\0', this prevent sess_find to return an
existing session as it uses strcmp.
I have fixed the problem in a production site using a longer KEY_SIZE
but I think the correct patch is to use a strncpy(res->key, key,
KEY_SIZE+1) in sess_add.
Unfortunately I am not able to test this patch.
Thanks for this great software.
ben
PS: I use latest pound version 2.2.1
|
|
|
Re: [Pound Mailing List] Session are not stiky when cookie content size > KEY_SIZE
Maurice Yarrow <yarrow(at)best.com> |
2007-01-12 15:51:04 |
[ SNIP ]
|
Hello Ben
Would you care to make your svn.c patch (ver.2.2.1) available to the
community ?
Maurice
ben wrote:
> Hi,
>
> when session cookie is longer than KEY_SIZE (63 char) the session is
> not stiky any more, even with cookies content that doesn't not start
> with the same substring.
>
> As far as I understand this is due to a bug in svn.c the key size
> return by get_HEADER can be KEY_SIZE + 1 long, while sess_add do a
> strncpy of KEY_SIZE without the ending '\0', this prevent sess_find to
> return an existing session as it uses strcmp.
>
> I have fixed the problem in a production site using a longer KEY_SIZE
> but I think the correct patch is to use a strncpy(res->key, key,
> KEY_SIZE+1) in sess_add.
>
> Unfortunately I am not able to test this patch.
>
> Thanks for this great software.
>
> ben
>
> PS: I use latest pound version 2.2.1
>
|
|
|
RE: [Pound Mailing List] Session are not stiky when cookie content size > KEY_SIZE
"Joe Gooch" <mrwizard(at)k12system.com> |
2007-01-16 16:45:05 |
[ SNIP ]
|
> -----Original Message-----
> From: ben [mailto:bdelbosc(at)nuxeo.com]
> Sent: Friday, January 12, 2007 3:21 AM
> To: pound(at)apsis.ch
> Subject: [Pound Mailing List] Session are not stiky when cookie
content
> size > KEY_SIZE
>
> Hi,
>
> when session cookie is longer than KEY_SIZE (63 char) the session is
not
> stiky any more, even with cookies content that doesn't not start with
> the same substring.
>
> As far as I understand this is due to a bug in svn.c the key size
return
> by get_HEADER can be KEY_SIZE + 1 long, while sess_add do a strncpy of
> KEY_SIZE without the ending '\0', this prevent sess_find to return an
> existing session as it uses strcmp.
The sizes look fine. They each do a strncpy of KEY_SIZE. It's just
that get_HEADER does an explicit null termination.
The problem is that the SESS structure isn't initialized with \0's
before writing. It looks like this was fixed in v2.2.2. (In addition
to making KEY_SIZE 127)
Joe Gooch
K12 Systems, Inc.
|
|
|
|
