Problem setting cookie based client identity

Myyrä, Timo timo.myyra at edita.fi
Fri Jan 10 07:58:33 CET 2014


Ah, obvious issues yet again after they get pointed out :)

Apparently it was firefox that discarded the cookie and obviously it
doesn't anything about that to varnish logs.
I modified the domain part to strip the protocol and trailing slash from it
and things seem to work now.

Gotta test a bit further to see varnish cache doesn't do anything
unexpected.
Now that I remove the cookie header from the /assets urls I think varnish
caches those requests by default unless told otherwise.
Need to verify they are common stuff and not something which would require
authentication.

Now that cookie is sanitized to include only my session cookie, I could
probably add it to the hash function and tweak the varnish to cache pages
even where cookies are set. This would give user-specific caching if I've
understood the Varnish examples correctly.

Thanks for your help,
timo




2014/1/9 Per Buer <perbu at varnish-software.com>

> Hi Timo,
>
> On Thu, Jan 9, 2014 at 2:22 PM, Myyrä, Timo <timo.myyra at edita.fi> wrote:
>
>> Hi,
>>
>> I'm having trouble setting up cookie based client identity for one of our
>> sites.
>> I'm planning on sanitising the Cookie value to only include customer
>> specific session cookie and removing other values.
>>
>
> Ok.
>
>>
>> Here's the relevant parts from vcl_recv:
>>
> (..)
>
>
>>     # Remove cookie from static resources
>>     if (req.url ~ "^assets") {
>>       remove req.http.Cookie;
>>     }
>>
>
> This code probably won't be triggered as urls start with /.
>
>
>> Above config seems to work on when I make simple login and page tests via
>> curl:
>> $ curl --cookie "FOO_SESSION=ah5ai7qaej4a006o79s9500ao5; expires=Thu,
>> 09-Jan-2014 20:45:01 GMT; path=/foo;
>>
>
> Here you send to cookie with curl and all is fine.
>
>
> Problems is that when I test the site via Firefox I can login succesfully
>> to site but when I click any link on the main page I get presented with the
>> login page again.
>> Seems like the varnish just droppes my cookie and wants to
>> re-authenticate me.
>>
>
> There is one potential problem with the whole approach you are using. On
> the first request there is no cookie. Then the cookie is created and the
> session is created. The cookie is passed to the client through Varnish.
>
> Varnish doesn't know about the relationship between the session and the
> cookie. So Varnish will hash the cookie and might direct the client to
> another server, which might or might not have the session.
>
> Then there is this:
>
> Here's snap of firefox varnishlog:
>>    11 VCL_Log      c Cookie before sanitizing:
>> __utma=190219199.1951064551.1362571635.1387260530.1389248604.60;
>> __utmz=190219199.1365759373.8...
>>    11 VCL_Log      c Cookie after sanitizing:
>>    11 VCL_Log      c Client identity set to 192.49.50.88
>>    11 ObjHeader    c Set-Cookie: FOO_SESSION=0ke75g55tvl8uglm3q95kjqf82;
>> expires=Thu, 09-Jan-2014 21:14:38 GMT; path=/foo; domain=
>> https://wwwdev.example.com/; secure; HttpOnly
>>    11 TxHeader     c Set-Cookie: FOO_SESSION=0ke75g55tvl8uglm3q95kjqf82;
>> expires=Thu, 09-Jan-2014 21:14:38 GMT; path=/foo; domain=
>> https://wwwdev.example.com/; secure; HttpOnly
>>    11 VCL_Log      c Cookie before sanitizing:
>> __utma=190219199.1951064551.1362571635.1387260530.1389248604.60;
>> __utmz=190219199.1365759373.8.2...
>>    11 VCL_Log      c Cookie after sanitizing:
>>    11 VCL_Log      c Client identity set to 192.49.50.88
>>
>> As shown above, Varnish gets Set-Cookie from the application but doesn't
>> seem to "stick" to cookie.
>>
>
> Varnish doesn't know what Set-Cookie means. There is VCL that might
> trigger a hit-for-pass, but other than that there is no handling of
> Set-Cookie.
>
> Also, I think the syntax of your Set-Cookie is wrong. domain should look
> like domain=example.com - do not specify protocol here. So, Firefox, as
> it should throws the cookies away.
>
>
> Per.
>
> --
>  <http://www.varnish-software.com/> *Per Buer*
> CTO | Varnish Software AS
> Phone: +47 958 39 117 | Skype: per.buer
> We Make Websites Fly!
>
> Winner of the Red Herring Top 100 Europe Award 2013
>
>
>


-- 
Parhain terveisin,

Timo Myyrä
IT-Asiantuntija
Edita Prima Oy, Kehitysyksikkö
Hakuninmaantie 2
PL 200
00043 Edita
+358 40 860 2103
timo.myyra at edita.fi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20140110/fffb4a03/attachment-0001.html>


More information about the varnish-misc mailing list