There is varnish cache on my server, and sometimes a cache version of pages are being served to my users when they use persistent login.

For example as Admin, i check the remember me box and login.

I browse the website, and closes my browser.

I reopen my browser and visits the website. I am not login automatically but if i access the admin page, then I am login automatically.
Isn't this a security risk ?

OR if there is an ajax request on any page, it logs me in,

I'm using latest version of persistent login.

The same happens for any other users using the website.

Is there any configs to be done on varnish side ?

Thanks

Comments

j.b created an issue. See original summary.

j.b’s picture

j.b CreditAttribution: j.b commented
Issue summary: View changes
gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple as a volunteer commented
Status: Active » Postponed (maintainer needs more info)

I think you're treating getting automatically being authenticated as being served from the cache, when I think it is the opposite. The request were the user is not being authenticated is due to the page being served from varnish, and they are authenticated when they visit a page that bypasses the varnish cache. When persistent login provides a token to the user, the response it is sent in is marked as private so that the internal page cache and varnish do not cache it (as of 8.x-1.0-alpha3 - see #2853553: Wrong cached page is being served after re-opening the browser )

My understanding of the request process if your varnish is not configured to properly handle the persistent login cookie is as follows:
- Page is requested as anonymous user, and cached by varnish
- User logs in, and receives a persistent login token
- Browser is closed; session token is destroyed by persistent login token is saved by browser.
- Browser is opened to site again, and served from varnish; persistent login is not able to check the token provided by the user.
- User visits a page not served by varnish, persistent login checks the token provided by the user and authenticates them.

#1306214: Persistent login with reverse proxy (Varnish cache) has some example configuration for Varnish to properly handle the PL token cookie, but this is something that still needs some better documentation or a tutorial from someone who is more familiar with Varnish.

Regarding the security concern you mentioned in #1306214-16: Persistent login with reverse proxy (Varnish cache), there is only an issue if you open a separate browser or a private browsing session to access the site and are logged in there and not through the same browser that you originally logged in from. Reopening the same browser and being logged back in is the expected behaviour.

If you still feel that there is a problem it would be helpful if you could provide the headers of all page requests, particularly any headers that show the cache status from Varnish and Drupal.

j.b’s picture

j.b CreditAttribution: j.b commented

Thanks.
Issue has been solved.

I've updated the varnish configuration to bypass serving page from cache if PL cookie is present.

gapple’s picture

gapple
he/they
Primary language English
CreditAttribution: gapple as a volunteer commented
Status: Postponed (maintainer needs more info) » Closed (works as designed)

I've started a documentation page on configuring Varnish at https://www.drupal.org/docs/8/modules/persistent-login/configuring-varni... but am not able to add any details myself. Since you've recently been able to get this to work, it would be helpful if you could share your experience in the module documentation for other community members to benefit from.