creativestyle / magesuite-vary-cookie-signer
X-Magento-Vary Cookie Signer
Installs: 16
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 5
Forks: 0
Open Issues: 0
Type:magento2-module
Requires
- magento/framework: >=103.0.5 <130.0.5-p5
README
Magento uses special cookie called X-Magento-Vary
to distinguish between different variants of some pages (eg. PDP page for customers with special discount).
When varnish server is used this is handled by adding content of X-Magento-Vary
cookie to hash key.
This can be abused to bypass varnish page cache and generate high load on php server by generating random value for every request.
This extension provide a way to verify valid cookie on varnish server by providing extra cookie called X-Magento-Vary-Sign
containing sha1 hash of X-Magento-Vary
cookie content and signing key (which should be random value).
Without knowing secret, attacker isn't able to generate correctly signed cookie and we can verify it on varnish server and ignore incorrect values, therefore reuse cached page.
Magento configuration
Edit the /app/etc/env.php file to configure the signing key.
...
'vary_cookie_sign' => [
'key' => 'REPLACE_THIS_WITH_SIGNING_KEY'
]
...
Varnish configuration
You need to install uplex vmod_blobdigest also available as RPM in mageops repository.
Make sure you have those imports at the beginning of your VCL:
import blobdigest;
import cookie;
import blob;
Add to sub vcl_init
new sha1 = blobdigest.digest(SHA1);
Add to sub vcl_recv
if (req.http.cookie ~ "X-Magento-Vary=") {
cookie.parse(req.http.cookie);
if(! sha1.update( blob.decode( encoded=cookie.get("X-Magento-Vary") + "REPLACE_THIS_WITH_SIGNING_KEY" ) ) ) {
return (synth(500, "Internal Server Error"));
}
if ( blob.encode( encoding=HEX, case=LOWER, blob=sha1.final() ) != cookie.get("X-Magento-Vary-Sign") ) {
cookie.delete("X-Magento-Vary");
set req.http.cookie = cookie.get_string();
}
}
NOTE: First if statement can only fail when update
is called after finish
, but this is not possible, however VCL do not allow calling object methods, therefore this function mainly as workaround to this limitation.
Do not forget to replace REPLACE_THIS_WITH_SIGNING_KEY
with your unique random string, and make sure you use the same value in varnish and magento.
https://creativestyle.atlassian.net/wiki/spaces/MGSDEV/pages/2359951361/VaryCookieSigner+optional