Re: [squid-users] Squid is not aware of logged and anonymous users

From: Henrik Nordström <henrik_at_henriknordstrom.net>
Date: Tue, 22 Jun 2010 20:09:17 +0200

tis 2010-06-22 klockan 19:18 +0200 skrev Daniel Gomez:
> Good afternoon everyone,
>
> I´m using Squid in front of Zope/Plone. Since my main pages
> (Homepage,...) are quite static I would want to cach them for Anoymous
> users, but not for logged users. I am using the policies:
>
> - Anonymous: Cache in proxy for 24 hours (tested with ETag header and without)
> - Logged user: Cache in the browser with ETag

You also need Vary in that mix, telling caches on what information your
web server decided if the request is anonymous or logged in.

Generally speaking cookie authentication works very very bad with
caches. This because the response then varies on the Cookie header and
if your anonymous visitors have any session like cookies (i.e. goodle
adsense trackers, old session cookies etc) except when logged in then
things go very bad as pretty much every user is then unique to the cache
even if your server faithfully responds with nice ETags. This because
Squid do not know which ETag matches which cookie header combination
before asking your server.

A better design is to use https:// for authenticated access and http://
for anonymous access. In addition to solving the problem it also
increases security of the authenticated users login credentials.

Then in addition I would strongly recommend using HTTP DIgest
authentication instead of form based cookie authentication for
authenticated access. If properly implemented then our authenticated
users passwords is reasonably secure even if your site gets hacked.

Regards
Henrik
Received on Tue Jun 22 2010 - 18:09:41 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 23 2010 - 12:00:04 MDT