Hi Cor,

Can't you use SSL Session ID to do loadbalancing? Assuming you force SSL on everyone.

I am not exactly sure what you are referring to when speaking of the
SSL Session ID but AFAIU the information would be encrypted (assuming
the web server perform is running SSL) and not available on the proxy.

I do force SSL on everyone neither at the moment (but the idea is
attractive to prevent dead-broken proxies caching the JS badly and
causing grief to my users on upgrade). Furthermore, I am using NGINX
to perform the HTTPS encapsulation (which mean that the cookie trick
works even with SSL).

It should be possible to use the API. If I look at your patch, you
can do your set_backend() in the API call login_after. You can use login_failed for one of your kill_backend() calls, but
the other 2 would need an added api hook. I think we might want api
hooks there anyways, so one can always clean up after a plugin in
case a user disappears. I think a 'logout' api hook would be very
welcome.

Thank you for giving me more details, about how it could be done. I
have a very limited understanding of roundcube internals (only what
was necessary to write the patch). You most likely know better than I do what can and can not be done and
if so and you think it is the way forward, feel free to change my code
all together if you feel inclined to. My interest is in not supporting any out-of-tree patches on my
installation :)

I dont think you'd need one in the session loss code. If they lose
their session they re-login and a new cookie would get set in
set_backend().

Make sense.

Thomas _______________________________________________ List info: http://lists.roundcube.net/dev/