Bizarre perlbal problem
dormando at rydia.net
Fri Nov 18 20:05:59 PST 2005
Jacques Marneweck wrote:
> Brad Fitzpatrick wrote:
>>I hear your concern, but I'm not worried about Perlbal mixing up requests
>>However, what I'm asking about is different: not that each request can go
>>to different servers, but that PHP isn't caching any session info data on
>>the CONNECTION object, not the REQUEST object.
> I'll do a little digging with your theory ;)
> With PHP everything is stateless from my experience with PHP over the
> past 8 years. Each request is treated in a stateless manner but one can
> get session data based on the session cookie / session identifier
> specified as ?mysession=sessionid style of URL's or both depending on
> the scenario.
> I'm currently serving doc.php.net up from two servers with one perlbal
> instance running on one of the boxes without any issues atm. I' haven't
> upgraded to 1.39 yet. I'll most likely get round to doing the upgrade
> this weekend.
We couldn't find anything in our codebase that uses variables which
persist between requests on the same connection. We had a hard time
figuring out what can persist for the whole connection at all...
We spent some time opening a Keep-Alive connection to a test apache
server, then sending it requests with different user login cookies (or
none at all) each time. We weren't able to convince two versions of PHP
to send us back the wrong cookies.
Further, in any scenario we could think of our users would be getting
their logins swapped instantly, not as small of a percentage as we were
seeing. If a single keep-alive conncetion can service up to 500 requests
in our case, there'd be a lot of room for something to get poisoned and
a lot of requests to get poisoned.
At this point we're leaning toward the idea that one or two of our
ancient webservers is running an ancient broken PHP install that returns
bunkus data occasionally, and that the Content-Length injection the devs
had tried wasn't 100% perfect either. In a couple weeks our webserver
backend will be an array of shiney new debian servers (new OS, anyway).
We'll try it again then and send some updates.
More information about the perlbal