What does this vcl_hash function do?

Question

In several Varnish VCL examples for wordpress, I see the following:

sub vcl_hash {
  # Add the browser cookie only if a WordPress cookie found.
  if (req.http.Cookie ~ "wp-postpass_|wordpress_logged_in_|comment_author|PHPSESSID") {
    hash_data (req.http.Cookie);
  }
}

Could someone please explain what this does? I have tried googling it but I don't follow.

I want to make sure it's not possible that someone could just create a cookie with some junk in it and call it PHPSESSID or something, and then magically it would think they're logged in?

Answer 1

This checks to see if the user has a cookie named one of those (each | is the regex OR operator, so it can match any one of those). If there is a cookie with that name, then we hash the value of the cookie so that user gets their own cache. This is achieved using the hash_data function which adds the parameter to the cache key for the request (so you're adding the contents of req.http.Cookie to the cache key).

The reason for this is so logged in users don't see a cached version of the page from a logged out user.

This is pretty secure, although I personally wouldn't do this as it does open up some problems (e.g. a user logs out and invalidates their session, but an attacker could see the cached pages from say their profile page by replicating the request headers).

A better option is to simply not cache those pages (100% safe). You could put that in the vcl_recv function:

sub vcl_recv {
  if (req.http.Cookie ~ "wp-postpass_|wordpress_logged_in_|comment_author|PHPSESSID") {
    return (pass);
  }
}