Search squid archive

Re: Session not transferred when redirected by a website

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16/12/2011 6:50 p.m., Widhiyanto, Projo wrote:
Hi All,

I wasn't sure if my previous message was delivered to this list, so here
it is again:

I have a problem with certain website that doesn't seem to maintain
session when it is redirected after a login process. Login was
successful, but once you got redirected, the session is lost - and you
got logged out. However the problem is only seen if I am using a parent
cache (which is a Squid proxy of my ISP).

So far I only found this problem with http://www.htcdev.com. I will try
with other websites soon.
Does anyone happen to experience this, or am I missing something in the
squid config?
I'm using Squid 3.0 running on Debian Squeeze.

Thanks,
Jodix

This can appear to happen when the redirect response or the page redirected to is cached.

I say appear to, since sessions are not possible to loose like that. Once they are created they exist until the server erases them itself.

What can make it appear to log out is if a page from before the login is cached and served after login. The visible body of the page will be missing any new details added after login and also the Cookie: headers (including Session Cookies) cannot be cached and shared around. Squid erases them when serving cache HITs to prevent session data crossing between different clients.

There are two ways around this:

1) do not share URLs between logged-in and logged-out views of the site. You will see many sites with a /myaccount or /admin sort of path 'area' in their URLs. This is why.

2) The server accurately and reliably sending Vary:, ETag:, Date:, and Last-Modified headers for each and every object. If URLs can present more than one view or object these headers are critical. ** this website is claiming its pages were modified in the future relative to the timestamp the response about them was created and delivered. ** this website is not sending ETag at all, and lookups for a small sub-section of the page are returning different binary versions of the page object.

plug the URL into the tool at redbot.org to see more details.



Back to your problem....

* ensure that your proxy is not anonymizing one of the object identification headers out of existence. (I see this happen a lot with people aiming at "privacy". Dropping identifier headers because of what they are called, not the thing they identify.)

* ensure that your proxy is not forcing things to cache when they are supposed not to (ignore-* and override-* controls).

* check to see if that upstream proxy is doing any of the above. Complain to its admin if you find it doing so.

* try a forced reload on the page reporting you as logged out (shift or ctrl key down while presing the refresh/reload button).


Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux