Re: Cookie problem & thanks

DavidL@datacom.co.nz writes:

>Hi Squid Users,
>
>
>Firstly, many thanks to all those who responded to my last posting on
>'Memory problems' . The recommendation to link with the GNUmalloc
>routines worked like a charm - problem solved. I am now able to make
>better use of the memory in my system by increasing the cache_mem
>parameter.
>
>My next problem is to do with 'cookies'. I am no expert on html and all
>of its features, but here's what I've found so far:
>There are quite a few site that create and send cookies as part of the
>headers on html pages. These html pages/objects are cached by squid with
>the result that all requests for that url will received the cached copy
>of the html page, and thus the same cookie value. In most cases this is
>not a problem for the user (it may be for the hosting site as it will
>appear that all activity from that proxy server is generated by the one
>browser). However, a few sites do use the cookie value for all
>subsequent requests from the browser that recieved that cookie.
>Specifically, the site www.cdnow.com uses the cookie value to identify
>the 'shopping basket' into which a users is placing his/her selection of
>cd's and tapes. Two or more people accessing cdnow through a squid proxy
>server at the same time will end up using the same 'shopping basket' as
>they will all receive the same cached cookie value, and thus cause a lot
>of confusion. The other site that displays a similar problem (that I
>know of) is www.arcadium.com, where the cookie value is used to inform
>their system that you have visited the site before and registered a
>login id with them.
>I have tested this problem with the CERN proxy server and found that it
>does not serve a cached copy of the htmp pages containing a cookie. I
>have not tested the Netscape Proxy server, but believe it also works 'as
>expected'.
>As a work-around, I am using the cache_stoplist_pattern to prevent the
>caching of those specifing urls that contain cookies and which are
>causing a problem. However, this solution is not satisfactory and a
>general solution to all such 'problem' sites.
>
>Question: Is there a configuration parameter that will make squid 1.1.0
>not cache objects containing cookies ?
>If not, can squid be modified to not cache objects with cookies ? I
>realise that this would mean scanning every object for a text string to
>determine whether the object should be discarded or not, and would
>therefore produce a significant performance impact. How about providing
>configuration options to allow for the scanning of only the first x
>bytes of each url that matches a set of regexp patterns ?

Its easy to detect the cookies.

Note that the current HTTP/1.1 draft doesn't say anyting about cookies,
it seems to be a Netscape-ism. So there are no "official" guidelines
to follow that I know of.

I'd rather not introduce another option, but just make it the default
behaviour to NOT cache responses with cookies.

Simple scanning of objects on the NLANR caches shows that 0.9% of objects
in the cache include the 'Set-Cookie' header. If you want to check
your own, get
    http://squid.nlanr.net/Squid/Scripts/find-cookies.pl

Duane W.
Received on Fri Dec 13 1996 - 12:46:54 MST