Re: [squid-users] Session not transferred when redirected by a website

From: Amos Jeffries <>
Date: Fri, 16 Dec 2011 19:35:20 +1300

On 16/12/2011 6:50 p.m., Widhiyanto, Projo wrote:
> Hi All,
> I wasn't sure if my previous message was delivered to this list, so here
> it is again:
> I have a problem with certain website that doesn't seem to maintain
> session when it is redirected after a login process. Login was
> successful, but once you got redirected, the session is lost - and you
> got logged out. However the problem is only seen if I am using a parent
> cache (which is a Squid proxy of my ISP).
> So far I only found this problem with I will try
> with other websites soon.
> Does anyone happen to experience this, or am I missing something in the
> squid config?
> I'm using Squid 3.0 running on Debian Squeeze.
> Thanks,
> Jodix

This can appear to happen when the redirect response or the page
redirected to is cached.

I say appear to, since sessions are not possible to loose like that.
Once they are created they exist until the server erases them itself.

What can make it appear to log out is if a page from before the login is
cached and served after login. The visible body of the page will be
missing any new details added after login and also the Cookie: headers
(including Session Cookies) cannot be cached and shared around. Squid
erases them when serving cache HITs to prevent session data crossing
between different clients.

There are two ways around this:

  1) do not share URLs between logged-in and logged-out views of the
site. You will see many sites with a /myaccount or /admin sort of path
'area' in their URLs. This is why.

  2) The server accurately and reliably sending Vary:, ETag:, Date:, and
Last-Modified headers for each and every object. If URLs can present
more than one view or object these headers are critical.
   ** this website is claiming its pages were modified in the future
relative to the timestamp the response about them was created and delivered.
  ** this website is not sending ETag at all, and lookups for a small
sub-section of the page are returning different binary versions of the
page object.

plug the URL into the tool at to see more details.

Back to your problem....

* ensure that your proxy is not anonymizing one of the object
identification headers out of existence. (I see this happen a lot with
people aiming at "privacy". Dropping identifier headers because of what
they are called, not the thing they identify.)

* ensure that your proxy is not forcing things to cache when they are
supposed not to (ignore-* and override-* controls).

* check to see if that upstream proxy is doing any of the above.
Complain to its admin if you find it doing so.

* try a forced reload on the page reporting you as logged out (shift or
ctrl key down while presing the refresh/reload button).

Received on Fri Dec 16 2011 - 06:35:29 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 16 2011 - 12:00:03 MST