Re: [squid-users] Squid, Tomcat and SESSIONID

From: Amos Jeffries <>
Date: Fri, 12 Aug 2011 04:40:38 +1200

On 12/08/11 00:18, Rejaine Monteiro wrote:
> Hi list,
> I'm having problems with squid (v3) and tomcat with caching of
> session_id/cookie generate on a URL
> ps: sorry about long post and poor english ;0(

There are two separate mechanisms here.

  Cookies - which are never transmitted on cached replies.
    ** notice how the HIT response from Squid has no Set-Cookie header.

  302 redirection - which can be cached.
   ** notice the Expires: vs Date: header values

> I'm using de CURL (command line) on Linux to this test...
> When access mysite ( on the frist time
> (this is a Tomcat aplication, without any Apache on midleware) , the
> jsessionid code (Location) is equal to cookie (Set-Cookie)

This is a major security violation. The application should not be doing
  At the very least it should be marking such responses as "private" and

I suggest dropping that application. Seriously.

> # curl -x localhost:3128 -I http://mysession:8080/app
> HTTP/1.0 302 Moved Temporarily
> Server: Apache-Coyote/1.1
> Set-Cookie: JSESSIONID=950D366F1F13A7BA226E89C928060BAF.node1; Path=/app
> Expires: 15 Aug 2011 21:53:52 GMT
> Cache-Control: max-age=120

Explicit information telling Squid, browser and everything else on the
Internet which see it that the 302 is _supposed_ to be cached for
another few days.

> Location:
> http://mysite/;jsessionid=950D366F1F13A7BA226E89C928060BAF.node1?app=portal
> Content-Type: text/html;charset=utf-8
> Content-Length: 0
> Date: Wed, 10 Aug 2011 21:53:52 GMT
> X-Cache: MISS from localhost
> X-Cache-Lookup: HIT from localhost:3128
> Via: 1.0 localhost (squid/3.0.STABLE18)
> Proxy-Connection: keep-alive
> But on second acess, the session is cached (because max-age=120
> parameter) This was not expected because the sessioind should change for
> each session (this is a dynamic page). See bellow:

Dynamic nature of the page means nothing to sessions. Sessions and
cookies are a property of the web server running the site. But that is a
separate issue.

> With other proxy servers, this problem does not occur (I already tested
> with the Freeproxy and AnalogX and the result of jessession is always
> different from the previous session, even with max-age parameter)
> therefore, I believe that the problem occurs only when using the
> proxy-squid.

Then those proxies are either not supporting caching of 302 responses or
getting different responses to the ones you show here.

> I don't have access to modify the Cache-Control in the web application
> and as in other proxy-server does not occur the error, I have to solve
> this issue in Squid.
> I already tried to enter the settings below, but not relieving effect
> to. The only solution that worked was set cache_deny for the entire
> site, but this is not desirable (for reasons of bandwidth consumption)
> ##E# I tried this configuration (but not effect)
> hierarchy_stoplist cgi-bin \?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache deny QUERY
> acl JSESSIONID1 req_header Cookie -i JSESSIONID
> cache deny JSESSIONID1
> acl JSESSIONID2 rep_header Set-Cookie -i JSESSIONID
> cache deny JSESSIONID2

cache ACLs are still only tested on request arrival in Squid. Pity.

> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 ignore-no-cache
> ignore-no-store override-expire
> refresh_pattern -i mysite 0 0% 0 ignore-no-cache
> ignore-no-store override-expire
> refresh_pattern . 0 20% 4320
> #####
> I appreciate any help

All of the workarounds I can think of right now fail due to one or other
of the headers being emitted. Its not a nice app.


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for
Received on Thu Aug 11 2011 - 16:40:51 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 12 2011 - 12:00:01 MDT