vcl_hash authentication questions
Ron van der Vegt
ron.van.der.vegt at buyways.nl
Thu Apr 8 12:46:25 CEST 2010
Greetings,
I hope someone can help me with building two distinct caches using Varnish;
one for regulars and another for authenticated premium members.
The documentation on this subject [1] suggests in sending a cookie such as
premium=1. This, however, is not as secure as i would like it to be. Someone
must not be allowed to just set the cookie, like premium=1 and have access to
the secured cache.
I see two solutions:
1. validate the cookie using a hash plus a salt from within Varnish in order
to make it harder to guess the value;
2. have the PHP session ID's do the job for us but we therefore need to check
in some backend if the session ID is attached to a authenticated premium
member.
The first solution would be quite quick to implement but has significant
drawbacks such as security obtained through obscurity and the difficulty that
comes with a serverside signed-off user.
The second solution would be rather elegant; we could fill a memcached pool
with PHP session ID's that belong to authenticated premium users; we would
then only need to check the condition. The problem is: we don't see a method
in Varnish to check a backend.
What do you suggest? Are there other approaches that fit the use-case? How did
or would you solve this problem with Varnish?
Thanks in advance,
Ron van der Vegt
More information about the varnish-misc
mailing list