Greetings,
I hope someone can help me with building two distinct caches using Varnish; one for regulars and another for authenticated premium members. The documentation on this subject [1] suggests in sending a cookie such as premium=1. This, however, is not as secure as i would like it to be. Someone must not be allowed to just set the cookie, like premium=1 and have access to the secured cache. I see two solutions: 1. validate the cookie using a hash plus a salt from within Varnish in order to make it harder to guess the value; 2. have the PHP session ID's do the job for us but we therefore need to check in some backend if the session ID is attached to a authenticated premium member. The first solution would be quite quick to implement but has significant drawbacks such as security obtained through obscurity and the difficulty that comes with a serverside signed-off user. The second solution would be rather elegant; we could fill a memcached pool with PHP session ID's that belong to authenticated premium users; we would then only need to check the condition. The problem is: we don't see a method in Varnish to check a backend. What do you suggest? Are there other approaches that fit the use-case? How did or would you solve this problem with Varnish? Thanks in advance, Ron van der Vegt _______________________________________________ varnish-misc mailing list [email protected] http://lists.varnish-cache.org/mailman/listinfo/varnish-misc
