Problem setting cookie based client identity
Myyrä, Timo
timo.myyra at edita.fi
Thu Jan 9 14:22:25 CET 2014
Hi,
I'm having trouble setting up cookie based client identity for one of our
sites.
I'm planning on sanitising the Cookie value to only include customer
specific session cookie and removing other values.
Here's the relevant parts from vcl_recv:
std.log("Cookie before sanitizing: " + req.http.Cookie);
if (req.http.Cookie) {
set req.http.Cookie = ";" + req.http.Cookie;
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
set req.http.Cookie = regsuball(req.http.Cookie,
";([A-Z]+_SESSION|PHPSESSID)", "; \1");
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
if (req.http.Cookie == "") {
remove req.http.Cookie;
}
}
std.log("Cookie after sanitizing: " + req.http.Cookie);
if (req.http.Cookie) {
set client.identity = req.http.Cookie;
} else {
set client.identity = client.ip;
}
std.log("Client identity set to " + client.identity);
# Remove cookie from static resources
if (req.url ~ "^assets") {
remove req.http.Cookie;
}
Above config seems to work on when I make simple login and page tests via
curl:
$ curl --cookie "FOO_SESSION=ah5ai7qaej4a006o79s9500ao5; expires=Thu,
09-Jan-2014 20:45:01 GMT; path=/foo; domain=https://wwwdev.example.com/;
secure; HttpOnly" -L -k --noproxy \* -i "
https://wwwdev.example.com/foo/fi/product/100490"
HTTP/1.1 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 22511
Accept-Ranges: bytes
Date: Thu, 09 Jan 2014 13:09:34 GMT
Age: 0
Connection: close
X-Cache: MISS
...
# varnishlog -m "RxHeader:(Linux|curl)" | egrep
"(time|sanitizing|SESSION|identity)"
11 RxHeader c Cookie: FOO_SESSION=ah5ai7qaej4a006o79s9500ao5;
expires=Thu, 09-Jan-2014 20:45:01 GMT; path=/foo; domain=
https://wwwdev.example.com/; secure; HttpOnly
11 VCL_Log c Cookie before sanitizing:
FOO_SESSION=ah5ai7qaej4a006o79s9500ao5; expires=Thu, 09-Jan-2014 20:45:01
GMT; path=/foo; domain=https://wwwdev.example.com/; secure; HttpOnly
11 VCL_Log c Cookie after sanitizing:
FOO_SESSION=ah5ai7qaej4a006o79s9500ao5
11 VCL_Log c Client identity set to
FOO_SESSION=ah5ai7qaej4a006o79s9500ao5
Problems is that when I test the site via Firefox I can login succesfully
to site but when I click any link on the main page I get presented with the
login page again.
Seems like the varnish just droppes my cookie and wants to re-authenticate
me.
Here's snap of firefox varnishlog:
11 VCL_Log c Cookie before sanitizing:
__utma=190219199.1951064551.1362571635.1387260530.1389248604.60;
__utmz=190219199.1365759373.8...
11 VCL_Log c Cookie after sanitizing:
11 VCL_Log c Client identity set to 192.49.50.88
11 ObjHeader c Set-Cookie: FOO_SESSION=0ke75g55tvl8uglm3q95kjqf82;
expires=Thu, 09-Jan-2014 21:14:38 GMT; path=/foo; domain=
https://wwwdev.example.com/; secure; HttpOnly
11 TxHeader c Set-Cookie: FOO_SESSION=0ke75g55tvl8uglm3q95kjqf82;
expires=Thu, 09-Jan-2014 21:14:38 GMT; path=/foo; domain=
https://wwwdev.example.com/; secure; HttpOnly
11 VCL_Log c Cookie before sanitizing:
__utma=190219199.1951064551.1362571635.1387260530.1389248604.60;
__utmz=190219199.1365759373.8.2...
11 VCL_Log c Cookie after sanitizing:
11 VCL_Log c Client identity set to 192.49.50.88
As shown above, Varnish gets Set-Cookie from the application but doesn't
seem to "stick" to cookie. The cookie just contains the google analytics
stuff and not the FOO_SESSION as expected.
I tried to remove the secure and HttpOnly flags from cookie but that didn't
have any effect.
Any idea what is happening here and how to get this working?
Best regards,
Timo Myyrä
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20140109/cd387985/attachment.html>
More information about the varnish-misc
mailing list