ezpublish-community icon indicating copy to clipboard operation
ezpublish-community copied to clipboard

Published 20 hours ago verified publisher icon ezsystems

fix bug eZSESSID hijacking

Open ddtraceweb opened this issue 10 years ago • 8 comments

fix bug eZSESSID hijacking

ddtraceweb avatar Dec 19 '14 22:12 ddtraceweb

Hi, thanks for contributing :) Can you add some information on what you are fixing here? Also if this is an issue we should handle by default we will need to create a issue for this and probably also deal with in varnish4 vcl as well.

andrerom avatar Dec 21 '14 14:12 andrerom

Hi,

if a Set-cookie is present, varnish cache the eZSESSID actually and we have for exemple 30 unique hits 1 only eZSESSID.

we can't have cache of eZSESSID. This Pull Request fix the problem, it's valid for varnish 4 too i think.

Now we have 30 unique visits , with 30 single eZSESSID .

ddtraceweb avatar Dec 21 '14 14:12 ddtraceweb

ping @lolautruche

andrerom avatar Dec 23 '14 11:12 andrerom

Hi

It's actually a copy/paste from default.vcl. What should be removed is return (deliver) instead, so that default VCL code is called correctly. VCL for Varnish 4 is already safe (completely different code btw).

lolautruche avatar Dec 26 '14 15:12 lolautruche

@ddtraceweb up for making the PR change and test that it solves your issue?

andrerom avatar Dec 27 '14 13:12 andrerom

yes it's ok if remove return(deliver) with default.vcl

ddtraceweb avatar Jan 05 '15 22:01 ddtraceweb

ping @ddtraceweb @andrerom

Is the issue / understanding related to this PR resolved?

Can this PR be closed?

Cheers, Brookins Consulting

brookinsconsulting avatar May 19 '15 22:05 brookinsconsulting

@brookinsconsulting if you read the conversation, the patch should be updated, by whoever wants to take care about this.

andrerom avatar May 20 '15 17:05 andrerom