Determining if varnish config changes are needed after adding 3 new cookies

online

5/17/23, 4:33 PM

# Keep all these cookie
if (req.http.Cookie) {
  set req.http.Cookie = ";" + req.http.Cookie;
  set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
  set req.http.Cookie = regsuball(req.http.Cookie, ";(location|usertype|viewed-products)=", "; \1=");
  set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
  set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");

  if (req.http.Cookie == "") {
    unset req.http.Cookie;
  }
}

I have this varnish config, and I added 3 new cookies, so do I need to change anything? In my understanding, even if I added 3 new cookies, the only cookies that will be used for determining which cached values you're going to receive from varnish are solely determined by those you keep in the configs, so they will be determined by location, usertype and viewed products. Since we only have 2 location, 3 user types and 3 products, we can't have more than 332 18 different cache values. Am I correct?

0 + 0

varnish

Score:0

Server

Thijs Feryn

5/18/23, 7:47 AM

You're right, adding new cookies that aren't required for caching will not impact your VCL configuration.

Varnishlog output

When in doubt, use varnishlog. Here's a command you can use to monitor the cookie behavior:

varnishlog -g request -i ReqUrl -I ReqUnset:Cookie -I ReqHeader:Cookie

This command will only display the URL of the request and the various log lines where cookie values are set and unset.

Imagine sending the following HTTP request to your Varnish server:

curl -H "Cookie: foo=bar; location=test" http://localhost

This request sends 2 cookies to Varnish:

The unknown foo cookie that is supposed to be removed
The location cookie that is supposed to be kept

Here's the logging output:

*   << Request  >> 132325
-   ReqURL         /
-   ReqHeader      Cookie: foo=bar; location=test
-   ReqUnset       Cookie: foo=bar; location=test
-   ReqHeader      Cookie: ;foo=bar; location=test
-   ReqUnset       Cookie: ;foo=bar; location=test
-   ReqHeader      Cookie: ;foo=bar;location=test
-   ReqUnset       Cookie: ;foo=bar;location=test
-   ReqHeader      Cookie: ;foo=bar; location=test
-   ReqUnset       Cookie: ;foo=bar; location=test
-   ReqHeader      Cookie: ; location=test
-   ReqUnset       Cookie: ; location=test
-   ReqHeader      Cookie: location=test

As you can see, the foo cookie is nicely stripped of while the location cookie is kept.

Controlling the cache variations

I see that you're trying to keep the amount of cache variations under control, which makes sense.

The problem is that malicious requests can created unwanted cache variations.

If the amount of values per cookie are so limited, I suggested including them in your cache variation logic.

Are you using the cookie values in your vcl_hash logic for that? Or do you use Vary: Cookie for that?

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Determining if varnish config changes are needed after adding 3 new cookies

TH: การพิจารณาว่าจำเป็นต้องเปลี่ยนการกำหนดค่าวานิชหรือไม่หลังจากเพิ่มคุกกี้ใหม่ 3 รายการ

RO: Stabilirea dacă sunt necesare modificări de configurare a lacului după adăugarea a 3 cookie-uri noi

RU: Определение необходимости изменения конфигурации лака после добавления 3 новых файлов cookie

VI: Xác định xem có cần thay đổi cấu hình vecni sau khi thêm 3 cookie mới không

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.