Feature Suggestion: Select Cookies Based on Regex

[pecknigel]

I hope this is the right place for a feature suggestion. Please let me know if not.

For my particular use case, I am working with Joomla and find that it sets session cookies with hashes for the cookie name, so I would like to use cookie.filter_except to keep these, but it only allows specifying an exact name and does not accept regexes to select cookies.

What I am suggesting is that cookiename allow regexes, rather than only exact names (perhaps with an option flag to enable it?). It seems like something that could be added to all functions that make changes to existing cookies.

If it would be possible to add that, it seems a minor change, would be very useful for me and likely for others too.

Thanks.

[dridi]

Thank you for the suggestion, but compiling regular expressions on the fly would likely be too costly so instead we could use glob expressions: a simple middle-ground.

What does your offending cookie look like?

[pecknigel]

Thanks for this, sounds good. The offending cookie is like: 5f1dda7aadcabc485cab51d1f52bd66a=67cjqcmgh39f8fr273a0vvfq91

[dridi]

Oh dear, I'm afraid a glob expression won't cut it.

http://man7.org/linux/man-pages/man7/glob.7.html

[pecknigel]

Yeah, I wondered about that. I could use [a-f0-9] repeated 32 times! But that is not pretty, to say the least.

What about pre-compiling a regex? Could that work? Something the likes of:

cookie.regex.1 = "^[0-9a-f]{32}$";
...
cookie.filter_except(cookie.regex.1);

[dridi]

Can't you configure Joomla to avoid this security-through-obscurity nonsense? We could do something similar to what you are suggesting but it's a bit more complicated than this syntax and overall an API overhaul which we'd rather avoid.

[pecknigel]

No worries, was just an idea if it seemed useful for others too.

Regarding Joomla, the cookie naming can't be changed without updating the core. It seems the name is pretty consistent for an installation, so I have the option to hard-code the hash value for each site. I was looking for a way to avoid having to do that. I can always write my own VCL to deal with the cookies anyway, so no problem, was just exploring if it could be made possible with the VMOD, and thought it might be a useful feature for other cases where cookie names are not fixed but match a pattern.

Thanks for looking at it.

[dridi]

Sorry for not being too helpful. If the occasion to change the API arises we will certainly remember to bake in regex support.

[lkarsten]

Implemented here: https://github.com/varnish/varnish-modules/pull/126