Dan, > Our two choices are evidently "IP-based" and "cookie-based". > Currently, we're using "IP-based", so every IP address is treated as > a separate request. I'm looking into making it cookie-based, and > making cookies a requirement for the site (currently, we only use > cookies to store a couple of simple preferences). Any idea how many > people have cookies turned off?
I have no idea, but I always try hard to make it work for just about everyone. My current project even works in lynx. ;) Does the lb have any capabilities to use other hints when the cookie is not available? For example, Tomcat will use ";jsessionid=[A-Z0-9]+" in the URL to identify the session for clients who are not using cookies. > I actually considered [treating AOLers specially], although it seems > a bit of an extreme solution. Yeah, it kinda sucks, especially when you have to have this weirdo config on a separate server (or cluster of servers). > Incidentally, who creates the sessionID? Tomcat creates the session id. > Maybe if I could make sure it only authenticates the sessionID > against the first three numbers in the IP address... I think you're playing with fire, there. Besides, what would you change to make this work, here? -chris
signature.asc
Description: OpenPGP digital signature