Varnish hijacking user sessions

Question

Client contacted us with problem with login system on one of pages we coded. Sometimes it happens that users log in as someone else. As much as we tried, we couldn't replicate it. I suspect Varnish is causing this (since first time client reported this issue was after sysadmin set it up), but I don't have much experiences with it and our sysadmin doesn't seem to be willing to help.

The page uses ESI. All user-specific includes aren't cached at all, with one exception: There's username in header in separate include. We cache this ESI with Vary: Cookie, so that shouldn't be a problem.

Our setup on server is Nginx -> Varnish -> Apache. This is our Varnish config. Nginx shouldn't be caching anything (at least sysadmin claims so).

I suspect there is some typo or misconfiguration in Varnish config. Any hints are welcome.

Answer 1

I suspect that this could be related to your vcl_hash function. If you don't need it, comment this out and see what happens -- try it first in a test server that mimics your client's setup.

Details follow: (I'm new to varnish, so here is my understanding):

This function is what varnish uses to "mark" cached content. Based on the logic here, the hash is either the request url, the host or server ip. If user1 comes along and logs in at clientapp.com, varnish marks that page with a hash using the host clientapp.com. So when user2 comes along at the same host, varnish sees the page is already cached based on the rules in the hash function and delivers the cached page to user2 when it shouldn't. If the user2 logs in by visiting the IP address of the server, I'll bet you they would see their information. However, if user3 logs in via the IP address, he/she will see user2's information.

sub vcl_hash {
    hash_data(req.url); //This is never used 'cos of the lines that follow

    if (req.http.host) {
        hash_data(req.http.host);
    } else {
        hash_data(server.ip);
    }

    return (hash);
}