Cookie handling

Sam Crawford samcrawford at
Mon Apr 20 15:54:33 CEST 2009

Afternoon all,
I've been a keen user of Varnish for the past year or so and have just come
across a use case that I'm having trouble implementing. I'm familiar with
stripping the cookie upon insert and lookup in order to cache cookie-based
content, but the following is a slight twist on this.

We've got an SSO (single sign-on) service that requires an authentication
cookie to be presented for any protected resource. Our current setup (which
we're not able to change for a number of reasons) means that every URL under* is SSO protected - including requests for static
images, javascript, css, etc. Naturally we'd like to put Varnish in front of
this portal to cache static content.

The issue arises when we write our custom definitions of vcl_fetch. If we
find a static URL we'd do some like "remove req.http.cookie" and then
"lookup". However, if the content was not found in memory then it goes to
the backend. But by this point the incoming SSO cookie of the user has been
removed, so their request to the backend is denied.

So, is there a way to lookup a query in the hashtable *without* cookies, but
then if the request has to go to the backend *keep* the cookies?

I appreciate that this is conceptually not an ideal solution (as we'll be
caching another user's permissions to static content, etc etc), but any
suggestions would be greatly appreciated.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-misc mailing list