Session issues when using Varnish

Bjørn Ruberg bjorn at
Wed Mar 16 19:03:52 CET 2011

On 03/16/2011 04:55 PM, Chris Bloom wrote:
> Thank you, Bjorn, for your response.
> Our hosting provider tells me that the following routines have been
> added to the default config.
> sub vcl_recv {
>    # Cache things with these extensions
>    if (req.url ~
> "\.(js|css|JPG|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf)$") {
>      unset req.http.cookie;
>      return (lookup);
>    }
> }
> sub vcl_fetch {
>    # Cache things with these extensions
>    if (req.url ~
> "\.(js|css|JPG|jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf)$") {
>      unset req.http.set-cookie;
>      set obj.ttl = 1h;
>    }
> }

This is a rather standard config, not designed for corner cases like yours.

> Clearly the req.url variable contains the entire request URL, including
> the querystring. Is there another variable that I should be using
> instead that would only include the script name? If this is the default
> behavior, I'm inclined to cry "bug".

You can start crying bug after you've convinced the rest of the Internet 
world, including all browsers, that the query string should not be 
considered part of the URL. In the meantime, I suggest you let your 
provider know that your application has special requirements that they 
will need to accommodate.

Your provider can't offer proper service when they don't know your 
requirements. To provide you with a useful Varnish configuration, your 
provider needs to know quite a few things about how your application 
works. This includes any knowledge of cookies and when Varnish should 
and should not allow them. Since you ask the Varnish community instead 
of discussing this with your provider, I guess these requirements were 
never communicated.

A few tips you and your provider can consider:

a) Perhaps a second cookie could be set by the backend application for 
logged-in users. A configuration could be made so that Varnish would 
choose to not remove cookies from the file suffixes listed if this 
cookie was present.

b) If the path(s)/filename(s) where the query string may include the 
mentioned file suffixes are identifiable, your provider could create an 
exception for those. E.g. if ?foo=bar.jpg only occurs with 
/some/test/file.php, then the if clause in vcl_recv could take that into 

c) Regular expressions in 2.0.6 are case insensitive, so listing both 
"jpg" and "JPG" in the same expression is unnecessary.


More information about the varnish-misc mailing list