Welcome! Log In Create A New Profile

Advanced

session length when using cookies

Posted by James Little 
James Little
session length when using cookies
September 03, 2009 05:20PM
Hi All,

I'm looking for some advice on how to achieve lengthly (2 hours+)
persistence with cookie insertion. I know that by default the cookies
do not expire, but we are concerned here with the actual session
duration. For example, say we are dealing with a web-based CMS where
the user wants to be logged in for hours, but is not necessarily
refreshing the screen frequently. How do we ensure he stays logged in?
I'm aware that HAProxy does not support http keep-alive. Is the
'clitimeout' setting the right way to go?

Also interested in knowing the *default* persistence timeout.


Any pointers greatly appreciated.


James
Hank A. Paulson
Re: session length when using cookies
September 03, 2009 06:50PM
if you use haproxy with app-generated-cookie based balancing, it will continue
to send requests with that cookie to that backend as long as that cookie
exists and that backend is up - afaik.

If you look at the cookie in a browser tool, what is the expiration time?
If it is not, as long as you want you have to change the expiration time in
your CMS that is creating the cookie.

On 9/3/09 8:15 AM, James Little wrote:
> Hi All,
>
> I'm looking for some advice on how to achieve lengthly (2 hours+)
> persistence with cookie insertion. I know that by default the cookies do
> not expire, but we are concerned here with the actual session duration.
> For example, say we are dealing with a web-based CMS where the user
> wants to be logged in for hours, but is not necessarily refreshing the
> screen frequently. How do we ensure he stays logged in? I'm aware that
> HAProxy does not support http keep-alive. Is the 'clitimeout' setting
> the right way to go?
>
> Also interested in knowing the *default* persistence timeout.
>
>
> Any pointers greatly appreciated.
>
>
> James
James Little
Re: session length when using cookies
September 03, 2009 07:30PM
Hank, thanks for the reply. I was not thinking of app-cookie (i.e.
appsession) load balancing at this stage, but just a SERVERID cookie
which stores the backend label. I guess the answer is that it depends
on what cookies the app uses, and what their expiry date is. But what
about source IP persistence as well? How do we configure the timeout
for that?

Thanks,

James


On 3 Sep 2009, at 17:47, Hank A. Paulson wrote:

> if you use haproxy with app-generated-cookie based balancing, it
> will continue to send requests with that cookie to that backend as
> long as that cookie exists and that backend is up - afaik.
>
> If you look at the cookie in a browser tool, what is the expiration
> time?
> If it is not, as long as you want you have to change the expiration
> time in your CMS that is creating the cookie.
>
> On 9/3/09 8:15 AM, James Little wrote:
>> Hi All,
>>
>> I'm looking for some advice on how to achieve lengthly (2 hours+)
>> persistence with cookie insertion. I know that by default the
>> cookies do
>> not expire, but we are concerned here with the actual session
>> duration.
>> For example, say we are dealing with a web-based CMS where the user
>> wants to be logged in for hours, but is not necessarily refreshing
>> the
>> screen frequently. How do we ensure he stays logged in? I'm aware
>> that
>> HAProxy does not support http keep-alive. Is the 'clitimeout' setting
>> the right way to go?
>>
>> Also interested in knowing the *default* persistence timeout.
>>
>>
>> Any pointers greatly appreciated.
>>
>>
>> James
>
Hank A. Paulson
Re: session length when using cookies
September 03, 2009 07:50PM
Theoretically, if you are using http (and are closing the connection after
each request) and an app generated cookie, the tcp persistence would not
matter or come into play - I think.

Take the infamous "AOL user" case, AOL in the past, at least, used multiple
gateways with a single user coming from different IPs during the lifetime of a
single session. In that case, you can't use tcp connectivity tricks to manage
sessions, you have to use cookies. Again, afaik.

A similar situation is the recent discussion of very long sessions for remote
desktop - I don't believe tcp persistence came into play there either.

On 9/3/09 10:23 AM, James Little wrote:
> Hank, thanks for the reply. I was not thinking of app-cookie (i.e.
> appsession) load balancing at this stage, but just a SERVERID cookie
> which stores the backend label. I guess the answer is that it depends on
> what cookies the app uses, and what their expiry date is. But what about
> source IP persistence as well? How do we configure the timeout for that?
>
> Thanks,
>
> James
>
>
> On 3 Sep 2009, at 17:47, Hank A. Paulson wrote:
>
>> if you use haproxy with app-generated-cookie based balancing, it will
>> continue to send requests with that cookie to that backend as long as
>> that cookie exists and that backend is up - afaik.
>>
>> If you look at the cookie in a browser tool, what is the expiration time?
>> If it is not, as long as you want you have to change the expiration
>> time in your CMS that is creating the cookie.
>>
>> On 9/3/09 8:15 AM, James Little wrote:
>>> Hi All,
>>>
>>> I'm looking for some advice on how to achieve lengthly (2 hours+)
>>> persistence with cookie insertion. I know that by default the cookies do
>>> not expire, but we are concerned here with the actual session duration.
>>> For example, say we are dealing with a web-based CMS where the user
>>> wants to be logged in for hours, but is not necessarily refreshing the
>>> screen frequently. How do we ensure he stays logged in? I'm aware that
>>> HAProxy does not support http keep-alive. Is the 'clitimeout' setting
>>> the right way to go?
>>>
>>> Also interested in knowing the *default* persistence timeout.
>>>
>>>
>>> Any pointers greatly appreciated.
>>>
>>>
>>> James
>>
>
>
Willy Tarreau
Re: session length when using cookies
September 05, 2009 07:10PM
On Thu, Sep 03, 2009 at 10:40:00AM -0700, Hank A. Paulson wrote:
> Theoretically, if you are using http (and are closing the connection after
> each request) and an app generated cookie, the tcp persistence would not
> matter or come into play - I think.

Indeed, only the cookie matters.

> Take the infamous "AOL user" case, AOL in the past, at least, used multiple
> gateways with a single user coming from different IPs during the lifetime
> of a single session. In that case, you can't use tcp connectivity tricks to
> manage sessions, you have to use cookies. Again, afaik.

It's not only AOL, it's almost everywhere you have redudant outgoing proxies.
From my experience, about 5% or the internet users on a given site see their
IP address change multiple times during a session, sometimes even for every
hit due to round-robin proxies.

But James, I don't get the initial issue. Since the inserted cookie does not
expire, what issue are you trying to workaround ? As long as the user does
not close his browser, he will remain on the same server, so I don't see
where you problem is.

Regards,
Willy
Sorry, only registered users may post in this forum.

Click here to login