Bug 41897 - mod_proxy_balancer: configured session identifier is case-sensitive
mod_proxy_balancer: configured session identifier is case-sensitive
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_balancer
All Linux
: P2 major with 3 votes (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
Depends on:
  Show dependency tree
Reported: 2007-03-19 19:39 UTC by Thorsten Blome
Modified: 2008-05-13 04:31 UTC (History)
0 users

patch for the httpd-2.2.x (3.66 KB, patch)
2007-07-09 07:00 UTC, jfclere
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thorsten Blome 2007-03-19 19:39:41 UTC
We're using Apaches(2.2.4) mod_proxy and mod_proxy_balancer to loadbalance 
Tomcats(5.5) using mod_proxy_ajp, and found a problem getting both cookie-
based and url-rewriting based session-ids to be 'sticky' for 

The Servlet Spec(see i.e.: 
http://www.jcp.org/aboutJava/communityprocess/final/jsr053/ ), in section 7, 
binds Servlet Containers to use an uppercase param 'JSESSIONID' to hold the 
sessionid in cookies, but a lowercase 'jsessionid' if using url-rewriting(used 
when cookies are disabled). And thats exactly what the Tomcats do.

Now, if we have defined stickysession to be 'JSESSIONID' in the ProxyPass 
directive, i.e. like this:
ProxyPass /me/pub/ balancer://ME-Test/me/pub/ stickysession=JSESSIONID
we observe the stickysession feature to work with cookies, but not with url-

If we define stickysession to use the lowercase variant, like this:
ProxyPass /me/pub/ balancer://ME-Test/me/pub/ stickysession=jsessionid
it's just the other way round: url-rewriting is working, but cookies are not.

mod_proxy_balancer uses the value stickysession is set to in a case-sensitive 
way for both cookie-based and url-based session-ids, thus being unable to cope 
with the different cases of 'jsessionid' defined as mandatory by the Servlet 
Spec. This can be seen in the mod_proxy_balancer.c source in get_path_param() 
and get_cookie_param().

What we did to circumvent the problem was to patch mod_proxy_balancer.c like 
--- mod_proxy_balancer.c.ORIG   2005-11-10 16:20:05.000000000 +0100
+++ mod_proxy_balancer.c        2006-01-31 18:03:56.000000000 +0100
@@ -111,9 +111,17 @@
                           const char *name)
   char *path = NULL;
+    char *session_id = NULL;
+    int  i;

+    session_id= apr_pstrdup(pool, name);
+    /* Change 'JSESSIONID' to 'jsessionid' to match the value in the url */
+    if (isupper(name[0])) {
+        for (i=0;i<=strlen(session_id);i++)
+            session_id[i] = tolower(session_id[i]);
+    }

-    for (path = strstr(url, name); path; path = strstr(path + 1, name)) {
-        path += (strlen(name) + 1);
+    for (path = strstr(url, session_id); path; path = strstr(path + 1, 
session_id)) {
+        path += strlen(session_id);
       if (*path == '=') {
            * Session path was found, get it's value
(found here: http://mail-archives.apache.org/mod_mbox/httpd-users/200603.mbox/%
3c9B4E37DCB8D57D408FF960B536F0E5274330E6@ms01012.avinci.de%3e )

Although that fixed the problem for us, I do not request to apply exactly this 
patch to the mod_proxy_balancer.c source(because it's rude in a way that it 
only looks for the lowercase identifier in the URL if an uppercase one is 
configured), but I think mod_proxy_balancer.c has to be changed so that either:
- it is handling the stickysession identifier in an overall case-insensitive 
way, or at least
- it could additionally look for the lowercase variant in get_path_param(), if 
an uppercase one is configured and not found in the URL
Comment 1 jfclere 2007-06-25 07:47:00 UTC
After thinking to it the best way seems to allow 2 parameters separated with a |
ProxyPass balancer://mycluster/myapp stickysession=JESSSIONID|jsessionid
Comment 2 jfclere 2007-07-09 07:00:58 UTC
Created attachment 20480 [details]
patch for the httpd-2.2.x

Patch for the 2.2.x branch.