Search code examples
regexmagentocookiesvarnish-vcl

Using Varnish 3 to set cookies

I'm attempting to set a cookie using Varnish but am not seeing how multiple headers of the same name are treated. For instance, if multiple cookies need to be set, the application would send:

Set-Cookie:sources=source+2; expires=Tue, 04-Nov-2014 17:12:50 GMT; path=/; domain=.xampp.com.local
Set-Cookie:someOtherCookie=othervalue; expires=Tue, 04-Nov-2014 17:12:50 GMT; path=/; domain=.xampp.com.local

In Varnish I'll only ever want to set one cookie, but if the back end response included a Set-Cookie header or if the client already has cookies, I want to be sure that I'm not destroying them in the process of setting up my cookie.

The Turpentine extension from Nexcess seems to work some magic inside of C with the following which is responsible for setting up the session:

sub generate_session {
    # generate a UUID and add `frontend=$UUID` to the Cookie header, or use SID
    # from SID URL param
    if (req.url ~ ".*[&?]SID=([^&]+).*") {
        set req.http.X-Varnish-Faked-Session = regsub(
            req.url, ".*[&?]SID=([^&]+).*", "frontend=\1");
    } else {
        C{
            char uuid_buf [50];
            generate_uuid(uuid_buf);
            VRT_SetHdr(sp, HDR_REQ,
                "\030X-Varnish-Faked-Session:",
                uuid_buf,
                vrt_magic_string_end
            );
        }C
    }
    if (req.http.Cookie) {
        # client sent us cookies, just not a frontend cookie. try not to blow
        # away the extra cookies
        std.collect(req.http.Cookie);
        set req.http.Cookie = req.http.X-Varnish-Faked-Session +
            "; " + req.http.Cookie;
    } else {
        set req.http.Cookie = req.http.X-Varnish-Faked-Session;
    }
}

sub generate_session_expires {
    # sets X-Varnish-Cookie-Expires to now + esi_private_ttl in format:
    #   Tue, 19-Feb-2013 00:14:27 GMT
    # this isn't threadsafe but it shouldn't matter in this case
    C{
        time_t now = time(NULL);
        struct tm now_tm = *gmtime(&now);
        now_tm.tm_sec += 3600;
        mktime(&now_tm);
        char date_buf [50];
        strftime(date_buf, sizeof(date_buf)-1, "%a, %d-%b-%Y %H:%M:%S %Z", &now_tm);
        VRT_SetHdr(sp, HDR_RESP,
            "\031X-Varnish-Cookie-Expires:",
            date_buf,
            vrt_magic_string_end
        );
    }C
}

And they are checking to see if the user already has a frontend cookie with the following:

if (req.http.Cookie !~ "frontend=") {   
    # it's a real user, make up a new session for them
    call generate_session;
}

So, how do I deal with the cases where one or more of the following are occurring:

  • Varnish is adding the frontend= cookie for Magento (Turpentine)
  • The backend is returning one or more cookies
  • The client already has one or more cookies
Solution

  • You will need the header vmod for this:

    https://github.com/varnish/libvmod-header/

    Example:

    header.append(beresp.http.Set-Cookie,"stayAtLocale=1");

    You can also use the std vmod to "compact" all headers into one:

    https://www.varnish-cache.org/docs/4.0/reference/vmod_std.generated.html#func-collect