vcl_hash authentication questions

Ron van der Vegt ron.van.der.vegt at buyways.nl
Thu Apr 8 12:46:25 CEST 2010


Greetings,


I hope someone can help me with building two distinct caches using Varnish; 
one for regulars and another for authenticated premium members.

The documentation on this subject [1] suggests in sending a cookie such as 
premium=1. This, however, is not as secure as i would like it to be. Someone 
must not be allowed to just set the cookie, like premium=1 and have access to 
the secured cache.

I see two solutions:
1. validate the cookie using a hash plus a salt from within Varnish in order 
to make it harder to guess the value;

2. have the PHP session ID's do the job for us but we therefore need to check 
in some backend if the session ID is attached to a authenticated premium 
member.

The first solution would be quite quick to implement but has significant 
drawbacks such as security obtained through obscurity and the difficulty that 
comes with a serverside signed-off user.

The second solution would be rather elegant; we could fill a memcached pool 
with PHP session ID's that belong to authenticated premium users; we would 
then only need to check the condition. The problem is: we don't see a method 
in Varnish to check a backend.

What do you suggest? Are there other approaches that fit the use-case? How did 
or would you solve this problem with Varnish?


Thanks in advance,
Ron van der Vegt


More information about the varnish-misc mailing list