fix bug eZSESSID hijacking

[ddtraceweb]

fix bug eZSESSID hijacking

[andrerom]

Hi, thanks for contributing :)
Can you add some information on what you are fixing here? Also if this is an issue we should handle by default we will need to create a issue for this and probably also deal with in varnish4 vcl as well.

[ddtraceweb]

Hi,

if a Set-cookie is present, varnish cache the eZSESSID actually and we have for exemple 30 unique hits 1 only eZSESSID.

we can't have cache of eZSESSID. This Pull Request fix the problem, it's valid for varnish 4 too i think.

Now we have 30 unique visits , with 30 single eZSESSID .

[andrerom]

ping @lolautruche

[lolautruche]

Hi

It's actually a copy/paste from default.vcl. What should be removed is return (deliver) instead, so that default VCL code is called correctly. VCL for Varnish 4 is already safe (completely different code btw).

[andrerom]

@ddtraceweb up for making the PR change and test that it solves your issue?

[ddtraceweb]

yes it's ok if remove return(deliver) with default.vcl

[brookinsconsulting]

ping @ddtraceweb @andrerom

Is the issue / understanding related to this PR resolved?

Can this PR be closed?

Cheers,
Brookins Consulting

[andrerom]

@brookinsconsulting if you read the conversation, the patch should be updated, by whoever wants to take care about this.