Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. mod_backhand>
  3. users
[mod_backhand-users] Multiple set-cookie bug
bradfitz at bradfitz
Feb 20, 2001, 12:55 PM
Post #1 of 5 (570 views)
Permalink
I recently began using mod_backhand on a site that I run, livejournal.com.
We just bought some new webservers and needed to load balance
them. mod_backhand was a wonderful solution.

One problem I've encountered though is that users on the site are not
always able to login anymore reliably. Their cookies are being lost, or
only one of several are being set. (why we need more than one is another
story...)

After tons of tinkering and packet sniffing, I think I've figured out the
problem.

HTTP request comes in to server A, gets proxied to machines B or C, B or C
answers, with multiple Set-Cookie HTTP response headers, mod_backhand only
preserves the last one (is Apache's table interface a 'bag' or 'set' ?),
and thus the user's client only sends back one cookie later.

I saw the comment and code in mod_backhand that talks about the potential
problem with multiple Cookie: lines coming in on a request if the user
agent doesn't clump them all on one line, but I think this is a separate
problem.

Once the users get a login on the site, it doesn't matter what server they
hit from then on.... they always retain all their cookies.

Can anybody familiar with the mod_backhand code confirm this problem and
ideally fix it? Or am I left to go learn the Apache table APIs? :)

Thanks,

Brad
[mod_backhand-users] Multiple set-cookie bug [ In reply to ]
theo at omniti
Feb 22, 2001, 6:13 PM
Post #2 of 5 (554 views)
Permalink
Brad,

Brad Fitzpatrick wrote:
> I recently began using mod_backhand on a site that I run, livejournal.com.
> We just bought some new webservers and needed to load balance
> them. mod_backhand was a wonderful solution.
>
> One problem I've encountered though is that users on the site are not
> always able to login anymore reliably. Their cookies are being lost, or
> only one of several are being set. (why we need more than one is another
> story...)
>
> [ ... snip ... ]
>
> Can anybody familiar with the mod_backhand code confirm this problem and
> ideally fix it? Or am I left to go learn the Apache table APIs? :)

Confirmed and fixed in CVS. It is exactly what you suspected. I misused of
the Apache table API. I assumed that the headers would be premerged (coming
from the other Apache sever). This isn't always true, as you have seen.

On or around line 657 in mod_backhand.c, change AP_OVERLAP_TABLES_SET to
AP_OVERLAP_TABLES_MERGE.

This will fix your problem. It will be rolled into the next release.

Thanks for the bug report!

--
Theo Schlossnagle
1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
[mod_backhand-users] Multiple set-cookie bug [ In reply to ]
bradfitz at bradfitz
Feb 23, 2001, 2:08 PM
Post #3 of 5 (559 views)
Permalink
Theo,

Unfortunately, this didn't fix it. In fact, it's almost more broken.... no
cookies survive now, instead of 1 before.

As it turns out, you can't merge Set-Cookie headers... multi-valued keys can
generally be separated by commas, but not cookies. At least, not all
browsers support that.

I found this interesting:

http://www.humanfactor.com/cgi-bin/cgi-delegate/apache-ML/nh/1998/Aug/0313.h
tml

Here's what mod_backhand is doing, with your new patch (latest CVS):

[bradfitz@papag bradfitz]$ telnet livejournal.com 80
Trying 216.231.32.123...
Connected to livejournal.com.
Escape character is '^]'.
HEAD /login_do.bml?user=test&password=test HTTP/1.0
Host: www.livejournal.com

HTTP/1.1 200 OK
Date: Fri, 23 Feb 2001 20:47:31 GMT
Server: Apache/1.3.17 (Unix) balanced_by_mod_backhand/1.1.1pre3
mod_fastcgi/2.2.10
Cache-Control: no-cache, private, proxy-revalidate
Connection: close
ETag: 59f7df4ad2182c8f46b8a5e05dc82ba6
Set-cookie: BMLSESSION=jlciuljxkdfsxzbypbryzzcokl; expires=Thursday,
24-May-2001 20:47:35 GMT; path=/, ljuser=test; path=/,
ljhpass=test:098f6bcd4621d373cade4e832627b4f6; path=/, ljuser=test; path=/;
domain=livejournal.com, ljhpass=test:098f6bcd4621d373cade4e832627b4f6;
path=/; domain=livejournal.com
Content-Type: text/html


Here's what it should look like:


[bradfitz@papag bradfitz]$ telnet livejournal.com 80
Trying 216.231.32.123...
Connected to livejournal.com.
Escape character is '^]'.
HEAD /login_do.bml?user=test&password=test HTTP/1.0
Host: www.livejournal.com

HTTP/1.1 200 OK
Date: Fri, 23 Feb 2001 20:48:12 GMT
Server: Apache/1.3.17 (Unix) balanced_by_mod_backhand/1.1.1pre3
mod_fastcgi/2.2.10
Set-cookie: BMLSESSION=yfovjsoytpkosdpjhfpgomjtkw; expires=Thursday,
24-May-2001 20:48:13 GMT; path=/
Set-cookie: ljuser=test; path=/
Set-cookie: ljhpass=test:098f6bcd4621d373cade4e832627b4f6; path=/
Set-cookie: ljuser=test; path=/; domain=livejournal.com
Set-cookie: ljhpass=test:098f6bcd4621d373cade4e832627b4f6; path=/;
domain=livejournal.com
Cache-Control: no-cache
Cache-Control: private, proxy-revalidate
ETag: 59f7df4ad2182c8f46b8a5e05dc82ba6
Content-length: 9289
Connection: close
Content-Type: text/html

HEAD /users/bradfitz/friends HTTP/1.0
Host: www.livejournal.com


I checked out the Apache documentation project, but ap_overlap_tables looked
like it was undocumented, sitting on the TODO list.

Do you see any way around this?

Can I make requests to one specific URI not be backhanded? I'm using Action
directives to map an extension (*.bml) onto a handler in the cgi-bin (a
FastCGI script)... I'm not sure if the URI I'd have to exclude would be
/cgi-bin/bmlp.pl/login_do.bml or /login_do.bml ?

In other words, what phase of the URI expansion/rewriting do the <Location>
blocks [for mod_backhand?] take effect? Apologies in advance if this is a
stupid question.

Thanks,

- Brad


----- Original Message -----
From: "Theo E. Schlossnagle" <theo@omniti.com>
To: "Brad Fitzpatrick" <bradfitz@bradfitz.com>
Cc: <backhand-users@lists.backhand.org>
Sent: Thursday, February 22, 2001 5:13 PM
Subject: Re: [mod_backhand-users] Multiple set-cookie bug


> Brad,
>
> Brad Fitzpatrick wrote:
> > I recently began using mod_backhand on a site that I run,
livejournal.com.
> > We just bought some new webservers and needed to load balance
> > them. mod_backhand was a wonderful solution.
> >
> > One problem I've encountered though is that users on the site are not
> > always able to login anymore reliably. Their cookies are being lost, or
> > only one of several are being set. (why we need more than one is
another
> > story...)
> >
> > [ ... snip ... ]
> >
> > Can anybody familiar with the mod_backhand code confirm this problem and
> > ideally fix it? Or am I left to go learn the Apache table APIs? :)
>
> Confirmed and fixed in CVS. It is exactly what you suspected. I misused
of
> the Apache table API. I assumed that the headers would be premerged
(coming
> from the other Apache sever). This isn't always true, as you have seen.
>
> On or around line 657 in mod_backhand.c, change AP_OVERLAP_TABLES_SET to
> AP_OVERLAP_TABLES_MERGE.
>
> This will fix your problem. It will be rolled into the next release.
>
> Thanks for the bug report!
>
> --
> Theo Schlossnagle
> 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F
> 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
>
[mod_backhand-users] Multiple set-cookie bug [ In reply to ]
bradfitz at bradfitz
Feb 23, 2001, 2:17 PM
Post #4 of 5 (552 views)
Permalink
Hate replying to myself, but check out src/main/util_script.c in Apache...
around line 476 you can see all the hoops they have to jump through to get
set-cookie lines preserved for stupid browsers. Search for all the
set-cookie lines in there. Could a similiar thing be done in mod_backhand?

I don't know either the Apache or backhand codebase well, so it'd take more
time for me to learn each than to actually merge this code in for somebody
that knew the code. Worse, I don't have much free time lately.... (which I
imagine is the case for just about everybody here). However, if anybody
does have some time to fix this, I'm more than willing to send you a DVD or
CD for compensation since I know fixing annoying stuff like this because
other clients (*cough*IE*cough*) are broken is no fun.

- Brad

----- Original Message -----
From: "Brad Fitzpatrick" <bradfitz@bradfitz.com>
To: <backhand-users@lists.backhand.org>
Cc: "Theo E. Schlossnagle" <theo@omniti.com>
Sent: Friday, February 23, 2001 1:08 PM
Subject: Re: [mod_backhand-users] Multiple set-cookie bug


> Theo,
>
> Unfortunately, this didn't fix it. In fact, it's almost more broken....
no
> cookies survive now, instead of 1 before.
>
> As it turns out, you can't merge Set-Cookie headers... multi-valued keys
can
> generally be separated by commas, but not cookies. At least, not all
> browsers support that.
>
> I found this interesting:
>
>
http://www.humanfactor.com/cgi-bin/cgi-delegate/apache-ML/nh/1998/Aug/0313.h
> tml
>
> Here's what mod_backhand is doing, with your new patch (latest CVS):
>
> [bradfitz@papag bradfitz]$ telnet livejournal.com 80
> Trying 216.231.32.123...
> Connected to livejournal.com.
> Escape character is '^]'.
> HEAD /login_do.bml?user=test&password=test HTTP/1.0
> Host: www.livejournal.com
>
> HTTP/1.1 200 OK
> Date: Fri, 23 Feb 2001 20:47:31 GMT
> Server: Apache/1.3.17 (Unix) balanced_by_mod_backhand/1.1.1pre3
> mod_fastcgi/2.2.10
> Cache-Control: no-cache, private, proxy-revalidate
> Connection: close
> ETag: 59f7df4ad2182c8f46b8a5e05dc82ba6
> Set-cookie: BMLSESSION=jlciuljxkdfsxzbypbryzzcokl; expires=Thursday,
> 24-May-2001 20:47:35 GMT; path=/, ljuser=test; path=/,
> ljhpass=test:098f6bcd4621d373cade4e832627b4f6; path=/, ljuser=test;
path=/;
> domain=livejournal.com, ljhpass=test:098f6bcd4621d373cade4e832627b4f6;
> path=/; domain=livejournal.com
> Content-Type: text/html
>
>
> Here's what it should look like:
>
>
> [bradfitz@papag bradfitz]$ telnet livejournal.com 80
> Trying 216.231.32.123...
> Connected to livejournal.com.
> Escape character is '^]'.
> HEAD /login_do.bml?user=test&password=test HTTP/1.0
> Host: www.livejournal.com
>
> HTTP/1.1 200 OK
> Date: Fri, 23 Feb 2001 20:48:12 GMT
> Server: Apache/1.3.17 (Unix) balanced_by_mod_backhand/1.1.1pre3
> mod_fastcgi/2.2.10
> Set-cookie: BMLSESSION=yfovjsoytpkosdpjhfpgomjtkw; expires=Thursday,
> 24-May-2001 20:48:13 GMT; path=/
> Set-cookie: ljuser=test; path=/
> Set-cookie: ljhpass=test:098f6bcd4621d373cade4e832627b4f6; path=/
> Set-cookie: ljuser=test; path=/; domain=livejournal.com
> Set-cookie: ljhpass=test:098f6bcd4621d373cade4e832627b4f6; path=/;
> domain=livejournal.com
> Cache-Control: no-cache
> Cache-Control: private, proxy-revalidate
> ETag: 59f7df4ad2182c8f46b8a5e05dc82ba6
> Content-length: 9289
> Connection: close
> Content-Type: text/html
>
> HEAD /users/bradfitz/friends HTTP/1.0
> Host: www.livejournal.com
>
>
> I checked out the Apache documentation project, but ap_overlap_tables
looked
> like it was undocumented, sitting on the TODO list.
>
> Do you see any way around this?
>
> Can I make requests to one specific URI not be backhanded? I'm using
Action
> directives to map an extension (*.bml) onto a handler in the cgi-bin (a
> FastCGI script)... I'm not sure if the URI I'd have to exclude would be
> /cgi-bin/bmlp.pl/login_do.bml or /login_do.bml ?
>
> In other words, what phase of the URI expansion/rewriting do the
<Location>
> blocks [for mod_backhand?] take effect? Apologies in advance if this is a
> stupid question.
>
> Thanks,
>
> - Brad
>
>
> ----- Original Message -----
> From: "Theo E. Schlossnagle" <theo@omniti.com>
> To: "Brad Fitzpatrick" <bradfitz@bradfitz.com>
> Cc: <backhand-users@lists.backhand.org>
> Sent: Thursday, February 22, 2001 5:13 PM
> Subject: Re: [mod_backhand-users] Multiple set-cookie bug
>
>
> > Brad,
> >
> > Brad Fitzpatrick wrote:
> > > I recently began using mod_backhand on a site that I run,
> livejournal.com.
> > > We just bought some new webservers and needed to load balance
> > > them. mod_backhand was a wonderful solution.
> > >
> > > One problem I've encountered though is that users on the site are not
> > > always able to login anymore reliably. Their cookies are being lost,
or
> > > only one of several are being set. (why we need more than one is
> another
> > > story...)
> > >
> > > [ ... snip ... ]
> > >
> > > Can anybody familiar with the mod_backhand code confirm this problem
and
> > > ideally fix it? Or am I left to go learn the Apache table APIs? :)
> >
> > Confirmed and fixed in CVS. It is exactly what you suspected. I
misused
> of
> > the Apache table API. I assumed that the headers would be premerged
> (coming
> > from the other Apache sever). This isn't always true, as you have seen.
> >
> > On or around line 657 in mod_backhand.c, change AP_OVERLAP_TABLES_SET
to
> > AP_OVERLAP_TABLES_MERGE.
> >
> > This will fix your problem. It will be rolled into the next release.
> >
> > Thanks for the bug report!
> >
> > --
> > Theo Schlossnagle
> > 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F
> > 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
> >
>
>
> _______________________________________________
> backhand-users mailing list
> backhand-users@lists.backhand.org
> http://lists.backhand.org/mailman/listinfo/backhand-users
>
[mod_backhand-users] Multiple set-cookie bug [ In reply to ]
jesus at omniti
Feb 24, 2001, 6:32 PM
Post #5 of 5 (556 views)
Permalink
The fix for preserving individual cookie headers has been committed to CVS.

Brad Fitzpatrick wrote:
> Hate replying to myself, but check out src/main/util_script.c in Apache...
> around line 476 you can see all the hoops they have to jump through to get
> set-cookie lines preserved for stupid browsers. Search for all the
> set-cookie lines in there. Could a similiar thing be done in mod_backhand?
>
> I don't know either the Apache or backhand codebase well, so it'd take more
> time for me to learn each than to actually merge this code in for somebody
> that knew the code. Worse, I don't have much free time lately.... (which I
> imagine is the case for just about everybody here). However, if anybody
> does have some time to fix this, I'm more than willing to send you a DVD or
> CD for compensation since I know fixing annoying stuff like this because
> other clients (*cough*IE*cough*) are broken is no fun.

--
Theo Schlossnagle
1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal