Cookie validation with varnish?
Simon Kammerer
kontakt at web30.ch
Wed May 20 10:38:14 CEST 2009
hi,
has anyone done something like this (high level description...):
Web application sets cookie for user authentication, varnish acts as
reverse proxy in front of dedicated image servers and checks if the
cookie send by the user is a valid cookie set by the web application.
Meaning that varnish can validate cookies (or session tokens attached to
the GET request) against an external validating service, cache the
result for a given TTL and then serve the requested content (or not).
Required level of security is low: The idea is to prevent the world from
accessing media files on the dedicated image servers without login to
the main web application. No superprivate data to protect. If someone
could theoretically gain access to a few files due to some TTL race
conditions or such, thats no tragedy. No roles, per file permission
etc. (for now...).
I'm quite sure it's possible by inlining C in VCL.
Do you think this could be possible out of the box with some trickery?
Like creating an URL from the cookie, check this URL for 200 OK, cache
the result, check further requests against the cached results or so?
Regards
Simon
More information about the varnish-misc
mailing list