neverending saga of varnish + joomla

Lars Jørgensen lajo at kb.dk
Mon Aug 8 09:18:34 CEST 2011


> The true problem lies in the method that joomla utilizes the same php session cookie for anonymous users and logged in users. The reasoning behind
> this is so joomla can reduce the risk of session hijacking and whatnot , which makes sense ( I guess).

This sounds a bit like what OpenCMS does. It sets a JSESSION-cookie no matter what you do or who you are, and it's never used. If you log in, that same JSESSION-cookie is suddenly very relevant.

I got around it by always discarding the backend's SetCookie unless it was setting it from a login page. That way anonymous users would never get the cookie set until they logged in, and then it would be there for the rest of their session (causing Varnish to pass everything to the backend). Even if they logged out again - that could probably be fixed but I didn't consider it a problem.

In vcl_fetch

if (!req.url ~ "/system/loginpage") {
  unset beresp.SetCookie;
}

Above is just to illustrate the principle.


--
Lars
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20110808/5ecdb2f6/attachment-0003.html>


More information about the varnish-misc mailing list