Cookie handling

Kristian Lyngstol kristian at
Mon Apr 20 16:07:20 CEST 2009

On Mon, Apr 20, 2009 at 02:54:33PM +0100, Sam Crawford wrote:
> The issue arises when we write our custom definitions of vcl_fetch. If we
> find a static URL we'd do some like "remove req.http.cookie" and then
> "lookup". However, if the content was not found in memory then it goes to
> the backend. But by this point the incoming SSO cookie of the user has been
> removed, so their request to the backend is denied.
> So, is there a way to lookup a query in the hashtable *without* cookies, but
> then if the request has to go to the backend *keep* the cookies?

This is actually the default behavior. By default, only the url and
hostname is part of the hash. However, the default vcl also explicitly
passes any request with a cookie, which is why stripping the cookie is

If you replicate the behavior you want from the default vcl in your own
VCL, then end vcl_recv with lookup with a cookie, the object will be
fetched using the cookie, then stored (as long as vcl_fetch allows it to be

Keep in mind, however, that any protection is lost, as cached data won't
have their cookie confirmed. But I guess you're already aware of that.

Hope this can point you in the right direction.

Kristian Lyngstøl
Redpill Linpro AS
Tlf: +47 21544179
Mob: +47 99014497
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the varnish-misc mailing list