On 12/08/11 00:18, Rejaine Monteiro wrote:
>
> Hi list,
>
> I'm having problems with squid (v3) and tomcat with caching of
> session_id/cookie generate on a URL
> ps: sorry about long post and poor english ;0(
>
There are two separate mechanisms here.
Cookies - which are never transmitted on cached replies.
** notice how the HIT response from Squid has no Set-Cookie header.
302 redirection - which can be cached.
** notice the Expires: vs Date: header values
<snip>
>
> I'm using de CURL (command line) on Linux to this test...
>
> When access mysite (http://mysite.com.br:8080/app) on the frist time
> (this is a Tomcat aplication, without any Apache on midleware) , the
> jsessionid code (Location) is equal to cookie (Set-Cookie)
This is a major security violation. The application should not be doing
that.
At the very least it should be marking such responses as "private" and
"no-store".
I suggest dropping that application. Seriously.
>
> # curl -x localhost:3128 -I http://mysession:8080/app
> HTTP/1.0 302 Moved Temporarily
> Server: Apache-Coyote/1.1
> Set-Cookie: JSESSIONID=950D366F1F13A7BA226E89C928060BAF.node1; Path=/app
> Expires: 15 Aug 2011 21:53:52 GMT
> Cache-Control: max-age=120
Explicit information telling Squid, browser and everything else on the
Internet which see it that the 302 is _supposed_ to be cached for
another few days.
> Location:
> http://mysite/session.do;jsessionid=950D366F1F13A7BA226E89C928060BAF.node1?app=portal
> Content-Type: text/html;charset=utf-8
> Content-Length: 0
> Date: Wed, 10 Aug 2011 21:53:52 GMT
> X-Cache: MISS from localhost
> X-Cache-Lookup: HIT from localhost:3128
> Via: 1.0 localhost (squid/3.0.STABLE18)
> Proxy-Connection: keep-alive
>
> But on second acess, the session is cached (because max-age=120
> parameter) This was not expected because the sessioind should change for
> each session (this is a dynamic page). See bellow:
>
Dynamic nature of the page means nothing to sessions. Sessions and
cookies are a property of the web server running the site. But that is a
separate issue.
>
> With other proxy servers, this problem does not occur (I already tested
> with the Freeproxy and AnalogX and the result of jessession is always
> different from the previous session, even with max-age parameter)
> therefore, I believe that the problem occurs only when using the
> proxy-squid.
Then those proxies are either not supporting caching of 302 responses or
getting different responses to the ones you show here.
>
> I don't have access to modify the Cache-Control in the web application
> and as in other proxy-server does not occur the error, I have to solve
> this issue in Squid.
>
> I already tried to enter the settings below, but not relieving effect
> to. The only solution that worked was set cache_deny for the entire
> site, but this is not desirable (for reasons of bandwidth consumption)
>
> ##E# I tried this configuration (but not effect)
> hierarchy_stoplist cgi-bin \?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache deny QUERY
> acl JSESSIONID1 req_header Cookie -i JSESSIONID
> cache deny JSESSIONID1
> acl JSESSIONID2 rep_header Set-Cookie -i JSESSIONID
> cache deny JSESSIONID2
cache ACLs are still only tested on request arrival in Squid. Pity.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 ignore-no-cache
> ignore-no-store override-expire
> refresh_pattern -i mysite 0 0% 0 ignore-no-cache
> ignore-no-store override-expire
> refresh_pattern . 0 20% 4320
> #####
>
> I appreciate any help
All of the workarounds I can think of right now fail due to one or other
of the headers being emitted. Its not a nice app.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10Received on Thu Aug 11 2011 - 16:40:51 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 12 2011 - 12:00:01 MDT