[shib_auth] cookie handing for anonymous users
Mchugh, Christian
Christian.Mchugh at untsystem.edu
Wed Apr 3 03:10:58 CEST 2013
Hey all,
We are investigating running shibboleth authentication for our drupal installs. In our environment we run Drupal servers on Apache behind Varnish caching machines. The way Varnish handles caching, if a Drupal session is anonymous, then cookies aren't set so it knows it can cache the results. If a user logs in, they get a SESS######## cookie set by Drupal, and varnish can't cache those pages.
In testing the shibboleth module, it appears to always set a Drupal SESS cookie. By visting a site with the shib auth module installed, I get a SESS3928d85b60a68e9b5b42d4fbd0b35b69 cookie.
Looking at the database:
select hostname, uid, from_unixtime(timestamp), session from sessions order by timestamp desc;
It tells me that the cookie is for a shibboleth session:
shib_auth_rolecache|a:3:{i:3;s:13:"administrator";i:1;s:14:"anonymous user";i:2;s:18:"authenticated user";}
Since the user has not yet logged in, I don't see any reason for it to set a cookie. Is this a bug, or can anything be done about it?
Thank you
More information about the shib_auth
mailing list