Passing cookies to ESI includes

[Dridi Boukelmoune]

Hi all,

I hope someone can help me with this ESI problem I have with one of my clients.

One of the applications here use Varnish in front of two backends, and
we see a lot of session garbage allocated because of ESI not passing
cookies back-and-forth.

The two backends in a nutshell:
- front office (drupal cms)
- back office (java webapp, connected to other services of the company)

For the sake of simplicity, assume the front and back offices send
respectively PHPSESSID and JSESSIONID cookies.

The setup is also twisted, since you can actually access to both front
and back offices (varnish does the routing) and each can esi:include
fragments from the other. I haven't got through the 5 whys with the
team yet...

The worst case scenario:

- Access to the front office without any cookie
=> drupal adds a set-cookie header for PHPSESSID
=> varnish finds N esi:include tags
==> the back office creates N different JSESSIONID set-cookie headers
(one per request)

It means N wasted sessions on the back office since none of the
cookies will be retrieved by the user agent. And this will happen
until you actually hit a page directly on the back office (with a
shiny JSESSIONID).

The ideal solution:

- Access to the front office without any cookie
=> drupal adds a set-cookie header for PHPSESSID
=> varnish finds N esi:include tags
==> varnish fires the first esi request
===> the backoffice adds a set-cookie header for JSESSIONID
===> varnish adds the JSESSIONID cookie to the existing set-cookie header
===> varnish adds the JSESSIONID cookie header to the next requests
==> varnish fires the other N-1 esi requests with the JSESSIONID cookie
===> the back office doesn't create additional sessions
==> varnish answers with both PHPSESSID and JSESSIONID cookies
=> champagne \o/

I'm open to any kind of solution, including (no pun intended) inline C
or open source vmods. Any help appreciated :)

One more thing:
I'm aware of libvmod-header, which solves the (implicit) multiple
Set-Cookie headers issue, but doesn't help cross the ESI boundaries.

Best Regards,
Dridi