Bizarre perlbal problem

Dormando dormando at rydia.net
Fri Nov 18 09:36:45 PST 2005


(sorry, couldn't resist :P)

We got HTTP 1.0 keepalives working (for the most part) late in the day 
yesterday. Overnight we witnessed a pretty bad glitch where our users 
would randomly get other user's site cookies and become logged in as 
someone else.

It happened in a small percentage of users, but turning off the backend 
keepalives seems to have removed the issue. We're still investigating on 
our end, but I'm having a hard time even speculating how that happened; 
was perlbal sending back responses from clients other than the 
requestor? Any insight?

Other things that came to mind:
  - It's possible sometimes we return an improper content-length.
  - If a client connection closes before reading any data back from its 
connection, does perlbal always junk the backend request before reusing it?

I do have a weird routing setup in order to have two perlbal processes 
running on the same IP address, but since that's just on the frontend 
and only for incoming requests, I can't see how the responses would get 
switched... If they were, it'd happen a lot more often than with what we 
saw.

Thanks,
-Alan


More information about the perlbal mailing list