Forum Discussion
hooleylist
Aug 07, 2008Cirrostratus
One other thing... in the current iteration of the rule, a new session is created and the total session count incremented on each HTTP request which doesn't already have a session cookie. The only time the total count is decremented is when the TCP connection is closed. So if there are multiple clients connecting over the same TCP connection (ie, coming in via a proxy), session leakage would occur. For proxied users, multiple sessions would be created, but only one session removed when the TCP connection is closed. To account for this, you'd have to count the number of new sessions created per TCP connection and then decrement the session count by this count in CLIENT_CLOSED.
Aaron