On 12/08/11 00:18, Rejaine Monteiro wrote:
Hi list, I'm having problems with squid (v3) and tomcat with caching of session_id/cookie generate on a URL ps: sorry about long post and poor english ;0(
There are two separate mechanisms here. Cookies - which are never transmitted on cached replies. ** notice how the HIT response from Squid has no Set-Cookie header. 302 redirection - which can be cached. ** notice the Expires: vs Date: header values <snip>
I'm using de CURL (command line) on Linux to this test... When access mysite (http://mysite.com.br:8080/app) on the frist time (this is a Tomcat aplication, without any Apache on midleware) , the jsessionid code (Location) is equal to cookie (Set-Cookie)
This is a major security violation. The application should not be doing that. At the very least it should be marking such responses as "private" and "no-store".
I suggest dropping that application. Seriously.
# curl -x localhost:3128 -I http://mysession:8080/app HTTP/1.0 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=950D366F1F13A7BA226E89C928060BAF.node1; Path=/app Expires: 15 Aug 2011 21:53:52 GMT Cache-Control: max-age=120
Explicit information telling Squid, browser and everything else on the Internet which see it that the 302 is _supposed_ to be cached for another few days.
Location: http://mysite/session.do;jsessionid=950D366F1F13A7BA226E89C928060BAF.node1?app=portal Content-Type: text/html;charset=utf-8 Content-Length: 0 Date: Wed, 10 Aug 2011 21:53:52 GMT X-Cache: MISS from localhost X-Cache-Lookup: HIT from localhost:3128 Via: 1.0 localhost (squid/3.0.STABLE18) Proxy-Connection: keep-alive But on second acess, the session is cached (because max-age=120 parameter) This was not expected because the sessioind should change for each session (this is a dynamic page). See bellow:
Dynamic nature of the page means nothing to sessions. Sessions and cookies are a property of the web server running the site. But that is a separate issue.
With other proxy servers, this problem does not occur (I already tested with the Freeproxy and AnalogX and the result of jessession is always different from the previous session, even with max-age parameter) therefore, I believe that the problem occurs only when using the proxy-squid.
Then those proxies are either not supporting caching of 302 responses or getting different responses to the ones you show here.
I don't have access to modify the Cache-Control in the web application and as in other proxy-server does not occur the error, I have to solve this issue in Squid. I already tried to enter the settings below, but not relieving effect to. The only solution that worked was set cache_deny for the entire site, but this is not desirable (for reasons of bandwidth consumption) ##E# I tried this configuration (but not effect) hierarchy_stoplist cgi-bin \? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache deny QUERY acl JSESSIONID1 req_header Cookie -i JSESSIONID cache deny JSESSIONID1 acl JSESSIONID2 rep_header Set-Cookie -i JSESSIONID cache deny JSESSIONID2
cache ACLs are still only tested on request arrival in Squid. Pity.
refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 ignore-no-cache ignore-no-store override-expire refresh_pattern -i mysite 0 0% 0 ignore-no-cache ignore-no-store override-expire refresh_pattern . 0 20% 4320 ##### I appreciate any help
All of the workarounds I can think of right now fail due to one or other of the headers being emitted. Its not a nice app.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10
