How to make Varnish ignore, not delete cookies

Question

I want to use Varnish to cache certain pages even in the presence of cookies. There are 3 possibilities that I need to take care of:

An anonymous user is viewing some page
A logged in user is viewing some page with light customization. These customizations are all stored in a signed-cookie and are dynamically populated by Javascript. The vary-cookie http header is not set.
A logged in user is viewing some page with customized data from the database. The vary-cookie http header is set.

The expected behaviors would be:

Cache the page. This is the most basic scenario for Varnish to handle.
Cache the page and do not delete the cookie because some Javascript logic needs it.
Never cache this page because vary-cookie is signalling the cookie contents will affect the output of this page.

I have read some docs on Varnish and I cannot tell if this is the default behavior or if there is some setup I have to do in VCL to make it happen.

score 3 · Answer 1 · answered Nov 25 '10 at 11:48

By default Varnish doesn't cache requests with a Cookie header:

http://varnish-cache.org/svn/trunk/varnish-cache/bin/varnishd/default.vcl

  sub vcl_recv {
(...)
  if (req.http.Authorization || req.http.Cookie) {
        /* Not cacheable by default */
        return (pass);
    }
    return (lookup);

You need to code the behaviour you want into the configuration. Be aware that the Cookie is part of the client request, not the "page" (object, really). The "page" (object) comes with a "Set-Cookie" header - that's the one that will be cached.

Also, "Vary: Cookie" doesn't mean "do not cache". It means cache one object for every value of Cookie received.

If your application doesn't generate any content based on Cookie, it's probably safe to ignore it:

-      if (req.http.Authorization || req.http.Cookie) {
+      if (req.http.Authorization) {

Do some tests and you will get the hang of it. Hope this helps.

Ok this is starting to make more sense now. I definitely don't want to cache responses with the set-cookie header because things like the CSRF token get set there. — Jason Christa, Nov 25 '10 at 13:53
Also can I use the Vary: Cookie header a signal not to try to cache the page. If you had 10,000 active users, caching a page for each of them is probably a waste of space. — Jason Christa, Nov 25 '10 at 13:55
If you don't want the page to be cached for each user have the application return "Cache-Control: private" — Thiago Figueiro, Dec 04 '10 at 07:03

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

0

If I understand you correctly, you do not want a specific cookie as part of the key - but you need to leave it intact?

You need to set the hash in vcl_hash to be req.url + req.http.host (and possibly others), but not the specific cookie..

I think one of my posts could help you in the right direction: Ignoring GET parameters in Varnish VCL

edited Apr 13 '17 at 12:14

Community

1

answered Nov 25 '10 at 12:12

3molo

4,340
5
30
46

How to make Varnish ignore, not delete cookies

2 Answers2

Linked