varnish / varnish-modules

Collection of Varnish Cache modules (vmods) by Varnish Software
Other
185 stars 86 forks source link

Feature Suggestion: Select Cookies Based on Regex #74

Closed pecknigel closed 7 years ago

pecknigel commented 7 years ago

I hope this is the right place for a feature suggestion. Please let me know if not.

For my particular use case, I am working with Joomla and find that it sets session cookies with hashes for the cookie name, so I would like to use cookie.filter_except to keep these, but it only allows specifying an exact name and does not accept regexes to select cookies.

What I am suggesting is that cookiename allow regexes, rather than only exact names (perhaps with an option flag to enable it?). It seems like something that could be added to all functions that make changes to existing cookies.

If it would be possible to add that, it seems a minor change, would be very useful for me and likely for others too.

Thanks.

dridi commented 7 years ago

Thank you for the suggestion, but compiling regular expressions on the fly would likely be too costly so instead we could use glob expressions: a simple middle-ground.

What does your offending cookie look like?

pecknigel commented 7 years ago

Thanks for this, sounds good. The offending cookie is like: 5f1dda7aadcabc485cab51d1f52bd66a=67cjqcmgh39f8fr273a0vvfq91

dridi commented 7 years ago

Oh dear, I'm afraid a glob expression won't cut it.

http://man7.org/linux/man-pages/man7/glob.7.html

pecknigel commented 7 years ago

Yeah, I wondered about that. I could use [a-f0-9] repeated 32 times! But that is not pretty, to say the least.

What about pre-compiling a regex? Could that work? Something the likes of:

cookie.regex.1 = "^[0-9a-f]{32}$";
...
cookie.filter_except(cookie.regex.1);
dridi commented 7 years ago

Can't you configure Joomla to avoid this security-through-obscurity nonsense? We could do something similar to what you are suggesting but it's a bit more complicated than this syntax and overall an API overhaul which we'd rather avoid.

pecknigel commented 7 years ago

No worries, was just an idea if it seemed useful for others too.

Regarding Joomla, the cookie naming can't be changed without updating the core. It seems the name is pretty consistent for an installation, so I have the option to hard-code the hash value for each site. I was looking for a way to avoid having to do that. I can always write my own VCL to deal with the cookies anyway, so no problem, was just exploring if it could be made possible with the VMOD, and thought it might be a useful feature for other cases where cookie names are not fixed but match a pattern.

Thanks for looking at it.

dridi commented 7 years ago

Sorry for not being too helpful. If the occasion to change the API arises we will certainly remember to bake in regex support.

lkarsten commented 6 years ago

Implemented here: https://github.com/varnish/varnish-modules/pull/126