Problem setting cookie based client identity

Per Buer perbu at varnish-software.com
Thu Jan 9 19:51:47 CET 2014


Hi Timo,

On Thu, Jan 9, 2014 at 2:22 PM, Myyrä, Timo <timo.myyra at edita.fi> wrote:

> Hi,
>
> I'm having trouble setting up cookie based client identity for one of our
> sites.
> I'm planning on sanitising the Cookie value to only include customer
> specific session cookie and removing other values.
>

Ok.

>
> Here's the relevant parts from vcl_recv:
>
(..)


>     # Remove cookie from static resources
>     if (req.url ~ "^assets") {
>       remove req.http.Cookie;
>     }
>

This code probably won't be triggered as urls start with /.


> Above config seems to work on when I make simple login and page tests via
> curl:
> $ curl --cookie "FOO_SESSION=ah5ai7qaej4a006o79s9500ao5; expires=Thu,
> 09-Jan-2014 20:45:01 GMT; path=/foo;
>

Here you send to cookie with curl and all is fine.


Problems is that when I test the site via Firefox I can login succesfully
> to site but when I click any link on the main page I get presented with the
> login page again.
> Seems like the varnish just droppes my cookie and wants to re-authenticate
> me.
>

There is one potential problem with the whole approach you are using. On
the first request there is no cookie. Then the cookie is created and the
session is created. The cookie is passed to the client through Varnish.

Varnish doesn't know about the relationship between the session and the
cookie. So Varnish will hash the cookie and might direct the client to
another server, which might or might not have the session.

Then there is this:

Here's snap of firefox varnishlog:
>    11 VCL_Log      c Cookie before sanitizing:
> __utma=190219199.1951064551.1362571635.1387260530.1389248604.60;
> __utmz=190219199.1365759373.8...
>    11 VCL_Log      c Cookie after sanitizing:
>    11 VCL_Log      c Client identity set to 192.49.50.88
>    11 ObjHeader    c Set-Cookie: FOO_SESSION=0ke75g55tvl8uglm3q95kjqf82;
> expires=Thu, 09-Jan-2014 21:14:38 GMT; path=/foo; domain=
> https://wwwdev.example.com/; secure; HttpOnly
>    11 TxHeader     c Set-Cookie: FOO_SESSION=0ke75g55tvl8uglm3q95kjqf82;
> expires=Thu, 09-Jan-2014 21:14:38 GMT; path=/foo; domain=
> https://wwwdev.example.com/; secure; HttpOnly
>    11 VCL_Log      c Cookie before sanitizing:
> __utma=190219199.1951064551.1362571635.1387260530.1389248604.60;
> __utmz=190219199.1365759373.8.2...
>    11 VCL_Log      c Cookie after sanitizing:
>    11 VCL_Log      c Client identity set to 192.49.50.88
>
> As shown above, Varnish gets Set-Cookie from the application but doesn't
> seem to "stick" to cookie.
>

Varnish doesn't know what Set-Cookie means. There is VCL that might trigger
a hit-for-pass, but other than that there is no handling of Set-Cookie.

Also, I think the syntax of your Set-Cookie is wrong. domain should look
like domain=example.com - do not specify protocol here. So, Firefox, as it
should throws the cookies away.


Per.

-- 
 <http://www.varnish-software.com/> *Per Buer*
CTO | Varnish Software AS
Phone: +47 958 39 117 | Skype: per.buer
We Make Websites Fly!

Winner of the Red Herring Top 100 Europe Award 2013
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20140109/69244bba/attachment.html>


More information about the varnish-misc mailing list