<div dir="ltr"><div><div><div><div>Hi,<br><br></div>I'm having trouble setting up cookie based client identity for one of our sites.<br></div>I'm planning on sanitising the Cookie value to only include customer specific session cookie and removing other values.<br>

<br></div>Here's the relevant parts from vcl_recv:<br>   std.log("Cookie before sanitizing: " + req.http.Cookie);<br>    if (req.http.Cookie) {<br>      set req.http.Cookie = ";" + req.http.Cookie;<br>

      set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");<br>      set req.http.Cookie = regsuball(req.http.Cookie, ";([A-Z]+_SESSION|PHPSESSID)", "; \1");<br>      set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");<br>

      set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");<br><br>      if (req.http.Cookie == "") {<br>        remove req.http.Cookie;<br>      }<br>    }<br>    std.log("Cookie after sanitizing: " + req.http.Cookie);<br>

<br>    if (req.http.Cookie) {<br>      set client.identity = req.http.Cookie;<br>    } else {<br>      set client.identity = client.ip;<br>    }<br>    std.log("Client identity set to " + client.identity);<br>
<br>
    # Remove cookie from static resources<br>    if (req.url ~ "^assets") {<br>      remove req.http.Cookie;<br>    }<br><br></div>Above config seems to work on when I make simple login and page tests via curl:<br>

<div><div>$ curl --cookie "FOO_SESSION=ah5ai7qaej4a006o79s9500ao5; expires=Thu, 09-Jan-2014 20:45:01 GMT; path=/foo; domain=<a href="https://wwwdev.example.com/">https://wwwdev.example.com/</a>; secure; HttpOnly" -L -k --noproxy \* -i "<a href="https://wwwdev.example.com/foo/fi/product/100490">https://wwwdev.example.com/foo/fi/product/100490</a>"<br>

HTTP/1.1 200 OK<br>Expires: Thu, 19 Nov 1981 08:52:00 GMT<br>Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br>Pragma: no-cache<br>Content-Type: text/html; charset=UTF-8<br>Content-Length: 22511<br>

Accept-Ranges: bytes<br>Date: Thu, 09 Jan 2014 13:09:34 GMT<br>Age: 0<br>Connection: close<br>X-Cache: MISS<br>...<br><br># varnishlog -m "RxHeader:(Linux|curl)" | egrep "(time|sanitizing|SESSION|identity)"<br>

   11 RxHeader     c Cookie: FOO_SESSION=ah5ai7qaej4a006o79s9500ao5; expires=Thu, 09-Jan-2014 20:45:01 GMT; path=/foo; domain=<a href="https://wwwdev.example.com/">https://wwwdev.example.com/</a>; secure; HttpOnly<br>   11 VCL_Log      c Cookie before sanitizing: FOO_SESSION=ah5ai7qaej4a006o79s9500ao5; expires=Thu, 09-Jan-2014 20:45:01 GMT; path=/foo; domain=<a href="https://wwwdev.example.com/">https://wwwdev.example.com/</a>; secure; HttpOnly<br>

   11 VCL_Log      c Cookie after sanitizing: FOO_SESSION=ah5ai7qaej4a006o79s9500ao5<br>   11 VCL_Log      c Client identity set to FOO_SESSION=ah5ai7qaej4a006o79s9500ao5<br><br></div><div>Problems is that when I test the site via Firefox I can login succesfully to site but when I click any link on the main page I get presented with the login page again.<br>

Seems like the varnish just droppes my cookie and wants to re-authenticate me.<br><br></div><div>Here's snap of firefox varnishlog:<br>   11 VCL_Log      c Cookie before sanitizing: __utma=190219199.1951064551.1362571635.1387260530.1389248604.60; __utmz=190219199.1365759373.8...<br>

   11 VCL_Log      c Cookie after sanitizing: <br>   11 VCL_Log      c Client identity set to 192.49.50.88<br>   11 ObjHeader    c Set-Cookie: FOO_SESSION=0ke75g55tvl8uglm3q95kjqf82; expires=Thu, 09-Jan-2014 21:14:38 GMT; path=/foo; domain=<a href="https://wwwdev.example.com/">https://wwwdev.example.com/</a>; secure; HttpOnly<br>

   11 TxHeader     c Set-Cookie: FOO_SESSION=0ke75g55tvl8uglm3q95kjqf82; expires=Thu, 09-Jan-2014 21:14:38 GMT; path=/foo; domain=<a href="https://wwwdev.example.com/">https://wwwdev.example.com/</a>; secure; HttpOnly<br>

   11 VCL_Log      c Cookie before sanitizing: __utma=190219199.1951064551.1362571635.1387260530.1389248604.60; __utmz=190219199.1365759373.8.2...<br>   11 VCL_Log      c Cookie after sanitizing: <br>   11 VCL_Log      c Client identity set to 192.49.50.88<br>

<br></div><div>As shown above, Varnish gets Set-Cookie from the application but doesn't seem to "stick" to cookie. The cookie just contains the google analytics stuff and not the FOO_SESSION as expected.<br>

</div><div>I tried to remove the secure and HttpOnly flags from cookie but that didn't have any effect. <br><br></div><div>Any idea what is happening here and how to get this working? <br></div><div><div><div><div><br clear="all">

<div>Best regards,<br></div><div>Timo Myyrä<br></div></div></div></div></div></div></div>