Cookie validation with varnish?

Simon Kammerer kontakt at
Wed May 20 10:38:14 CEST 2009


has anyone done something like this (high level description...):

Web application sets cookie for user authentication, varnish acts as 
reverse proxy in front of dedicated image servers and checks if the 
cookie send by the user is a valid cookie set by the web application.

Meaning that varnish can validate cookies (or session tokens attached to 
the GET request) against an external validating service, cache the 
result for a given TTL and then serve the requested content (or not).

Required level of security is low: The idea is to prevent the world from 
accessing media files on the dedicated image servers without login to 
the main web application. No superprivate data to protect. If someone 
could theoretically gain access to a few files due to some TTL race 
conditions or such, thats no tragedy.  No roles, per file permission 
etc. (for now...).

I'm quite sure it's possible by inlining C in VCL.

Do you think this could be possible out of the box with some trickery?
Like creating an URL from the cookie, check this URL for 200 OK, cache 
the result, check further requests against the cached results or so?


More information about the varnish-misc mailing list