Bizarre perlbal problem

Dormando dormando at rydia.net
Fri Nov 18 20:05:59 PST 2005


Jacques Marneweck wrote:
> Brad Fitzpatrick wrote:
> 
>>I hear your concern, but I'm not worried about Perlbal mixing up requests
>>and responses.
>>
>>However, what I'm asking about is different:  not that each request can go
>>to different servers, but that PHP isn't caching any session info data on
>>the CONNECTION object, not the REQUEST object.
>>  
> 
> I'll do a little digging with your theory ;)
> 
> With PHP everything is stateless from my experience with PHP over the
> past 8 years.  Each request is treated in a stateless manner but one can
> get session data based on the session cookie / session identifier
> specified as ?mysession=sessionid style of URL's or both depending on
> the scenario.
> 
> I'm currently serving doc.php.net up from two servers with one perlbal
> instance running on one of the boxes without any issues atm.  I' haven't
> upgraded to 1.39 yet.  I'll most likely get round to doing the upgrade
> this weekend.
> 
> Regards
> --jm

We couldn't find anything in our codebase that uses variables which 
persist between requests on the same connection. We had a hard time 
figuring out what can persist for the whole connection at all...

We spent some time opening a Keep-Alive connection to a test apache 
server, then sending it requests with different user login cookies (or 
none at all) each time. We weren't able to convince two versions of PHP 
to send us back the wrong cookies.

Further, in any scenario we could think of our users would be getting 
their logins swapped instantly, not as small of a percentage as we were 
seeing. If a single keep-alive conncetion can service up to 500 requests 
in our case, there'd be a lot of room for something to get poisoned and 
a lot of requests to get poisoned.

At this point we're leaning toward the idea that one or two of our 
ancient webservers is running an ancient broken PHP install that returns 
bunkus data occasionally, and that the Content-Length injection the devs 
had tried wasn't 100% perfect either. In a couple weeks our webserver 
backend will be an array of shiney new debian servers (new OS, anyway). 
We'll try it again then and send some updates.

have fun,
-Alan


More information about the perlbal mailing list