httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manni Wood" <>
Subject RE: mod_usertrack bugfix patch
Date Tue, 11 Mar 2003 00:25:31 GMT
OK, so almost a month ago, Cliff Woolley, Sander Holthaus, John K.
Sterling, and Jeff Trawick all encouraged me to change the mod_usertrack
patch I submitted so that instead of relying on a regexp to correctly
find the cookie in the cookie header (why the current mod_usertrack
sometimes fails to do this is detailed at, the patch would rely on
a small state machine to do the same.

The small state machine would crawl down the cookie header, character by
character, only once (or less, if the cookie is actually found in the
middle of the cookie header and the search ends), which should be a
speed improvement, yet hold onto the accuracy of my original patch.

Please find attached my latest patch for the 2.0.44 version of
mod_usertrack, as well as ch6.c, a program I wrote to test my state
machine for accuracy and robustness.

Some comments:

1. I looked into the cookie RFC, which refers to the HTTP RFC on what
the definition of a quoted value is. Interestingly, a quoted value is
not allowed to contain quotes, not even escaped quotes. Can someone
correct me on my assumption if I am wrong? More interestingly, I see no
reason why an unquoted value cannot contain unescaped quotes --- it's
just not allowed to contain spaces.

2. A valid cookie in the header does not need a value. Hence, you can
have, in the cookie header, a cookie name, followed by a semi-colon,
instead of the equal sign and value and *then* the semi-colon you would

3. A valid cookie header can separate its cookie/value pairs with commas
as well as semi-colons, and can have space before and after the
semi-colons or commas.

4. A valid cookie/value pair can have space before and after the equal

5. My state machine, based on my extensive testing, gracefully handles
all the above assumptions, and also gracefully aborts searching
malformed cookie headers. The resulting state machine is not as simple
as I had hoped!

6. I have not had the time to load-test my state-machine fix versus my
regexp fix. (The box I was using for load testing just got WinXP
installed, and Jmeter is crapping out now. I'll have to find another box
to load-test Apache. When I do, I'll get you the results.)

7. I also have not done a 1.3.x version of the patch, though it should
be trivial for me to do, and I want to as soon as I get the time and
some feedback from you guys.

I mostly would like feedback from the four of you on the code I've done
so far to see if you are confident the code is accurate and robust, and
that I've generally headed in the right direction with it.

Looking forward to your comments,


-----Original Message-----
From: Cliff Woolley [] 
Sent: Tuesday, February 25, 2003 6:00 PM
Subject: RE: mod_usertrack bugfix patch

On Tue, 25 Feb 2003, Manni Wood wrote:

> Kind of funny. While reading all these helpful e-mails, I was telling 
> myself "so really, what I need to do is build some sort of state 
> machine..." and there the phrase was in your latest e-mail. OK, so 
> with everybody's help, I think I have everything I need (most 
> especially the outline for an improved algorithm) to deliver improved 
> accuracy *and* performance finding the cookie in mod_usertrack. I 
> guess it's time to get hacking.

Sweet!  I look forward to the next rev.  :)


View raw message