Gorouter does not support session affinity for WebSockets

[domdom82]

Is this a security vulnerability?

No.

Issue

Gorouter supports session affinity as described in the docs. However, this support currently works only for regular HTTP traffic. Requests to WebSocket apps ignore JSESSIONID or other session cookies and will be routed randomly instead.

Affected Versions

All.

Context

• Session affinity is currently handled only in ProxyRoundTripper
• ProxyRoundTripper does only handle regular HTTP traffic
• WebSocket traffic is intercepted in Proxy and returns early. This explains why cookies are ignored.

Steps to Reproduce

1. Push a CF app that implements a WebSocket that sets a JSESSIONID cookie
2. Scale the app to two or more instances
3. Re-use the JSESSIONID cookie in the next request
4. Observe the backend instance that is used with the request

Expected result

The same instance is used that has originated the JSESSIONID cookie

Current result

A random instance is used. JSESSIONID cookie is ignored.

Possible Fix

• Refactor the session affinity logic and move it out of ProxyRoundTripper, up one level, to Proxy.
• Another option would be to add a specific handler for session handling that sets the endpoint hint for the load balancer in RequestInfo
• The hint would then be picked up by ProxyRoundTripper and RequestHandler respectively.
• A positive side-effect would be that the code length of ProxyRoundTripper would shrink considerably, making it easier to maintain down the road.

[maxmoehl]

IMO option 2 (dedicated handler, communicate via RequestInfo) is the most desirable. RequestInfo is already used to communicate / collect information related to that request and it clearly separates the logic (hopefully) making the code more maintainable.