I have an application that is fronted by a Varnish server. Parts of the page is rendered using ESI includes.
My problem is that the upstream response includes an encrypted session cookie, which among other things contains a CSRF token (no server-side session storage at all).
For an initial request (no cookie in the request), the ESI requests will not include a cookie set by the first response from the upstream server.
I've tried setting req.http.Cookie
in the vcl_deliver
hook, as it's the only place in the request flow I've found where both req
and res
are R/W accessible. However, looking at the requests with varnishlog reveals the ESI requests are unaffected and don't include the cookie.
I've done my best to trawl through the documentation, but can't find anything remotely useful.
Is it possible to achieve what I want, i.e. update req
so that the ESI requests include the cookie returned by the initial upstream response?