> The true problem lies in the method that joomla utilizes the same php session
> cookie for anonymous users and logged in users. The reasoning behind
> this is so joomla can reduce the risk of session hijacking and whatnot ,
> which makes sense ( I guess).
This sounds a bit like what OpenCMS does. It sets a JSESSION-cookie no matter
what you do or who you are, and it's never used. If you log in, that same
JSESSION-cookie is suddenly very relevant.
I got around it by always discarding the backend's SetCookie unless it was
setting it from a login page. That way anonymous users would never get the
cookie set until they logged in, and then it would be there for the rest of
their session (causing Varnish to pass everything to the backend). Even if they
logged out again - that could probably be fixed but I didn't consider it a
problem.
In vcl_fetch
if (!req.url ~ "/system/loginpage") {
unset beresp.SetCookie;
}
Above is just to illustrate the principle.
--
Lars
_______________________________________________
varnish-misc mailing list
[email protected]
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
