We are using the Varnish/Pressflow stack for a large customer and running into some issues where visitors are being passed through Varnish. Upon closer inspection we are seeing all sorts of cookies that I cannot find in code.
We have set Varnish to strip the usual suspects (Google Analytics, AddThis, Quantcast, additional generated by modules or custom code). However, the list below just keeps growing and I have no idea where these cookies are being set. I have searched the codebase, but no luck. Is there another approach people are following with Varnish configurations to address this? Something like a "strip all cookies, except the following" approach?
BCSI-CS-C16732EA820E2A8A
BCSI-CS-FC2FEA75072A91E4
trc__storage
trc_cookie_storage
SERVERID
NSC_WJQ-CD
gt_s
jid
language
UserLocale
country
XTCsid
767e74cfa4cfca7fb6f8ae750990703b
alpha
iam
notified-Eandis_Compliance
donkeytsHome
alpha
CFGLOBALS
pixelfired
GoogleAdServingTest
moreover
CFMAGIC
d
traffic_control
_bit
UDMID
sess_georeg
sess_donechecks
RBC
sess_fancyjavascript
FMSS
geolocrefresh
geoloc
sess_sessionid
User-Identity-Forward-msisdn
network-access-type
Comments
Wow that's a lot of
Wow that's a lot of cookies.
The likely source would be from another site on a sub-domain. You might want to setup those other sites to be more restrictive with what domains they spread their cookies to. Having that many cookies bloats your HTTP headers and can slow things down.
The one cookie that you can't live without would be the Drupal session cookie which looks something like:
SESSf4c4485d2154d412fa68d80071953871
Which you could probably target with some simple regex.
--
Dave Hansen-Lange
Director of Technical Strategy, Advomatic.com
Pronouns: he/him/his
That's not the cookies from a
That's not the cookies from a single user, its the result of capturing cookies from users browsing the site over a few hour period.
We actually have the SESS.* cookie already accounted for in Varnish.
Just wondering what the best way to clean all this up would be. Should I expire any cookies that are not needed on the domain? There are no sub-domains setting cookies to my knowledge.
Abhi
What makes you think it's the cookies?
What makes you think it is the cookies that are killing performance? Are you seeing, for example, one request for each of these cookies, or thousands of requests with these cookies in the headers?
If over the course of a few hours you get a few dozen requests (out of, presumably, hundreds of thousands) that have spurious cookies, this should not have an overall negative effect on the performance of your site. And it is not uncommon for bad clients to occasionally pass bogus data (in fact, it's one method of probing sites).
Unless you are seeing hundreds or thousands of requests with malformed cookies, I would suggest that you may be barking up the wrong tree. I'd look instead at other things -- like maybe whether or not you are generating variants by user agent or doing something else that might increase MISS rates.
Blog: http://technosophos.com
QueryPath: http://querypath.org
Then these might be cookies
Then these might be cookies from random sites on the Internet that have incorrectly set the domain of the cookie to be .com or . or something else that will catch every domain.
--
Dave Hansen-Lange
Director of Technical Strategy, Advomatic.com
Pronouns: he/him/his
Interesting, didnt know you
Interesting, didnt know you could do that. Any idea about best practices to get rid of these? Just setcookie() to a past date and expire them?
Abhi
Also, if what you are saying
Also, if what you are saying is true and other sites are setting generic cookies that other sites are able to pickup, then there should be other sites with Varnish that experience similar issues. Anyone else experienced similar issues? Resolutions?
Abhi
What is your tld? I did
What is your tld? I did search for "geolocrefresh" and it sets the domain for "co.uk." On IE, this cookie will be sent to all co.uk sites since it thinks it's a subdomain.
A quick search for "User-Identity-Forward-msisdn" show it's from a mobile device.
Just curious, but why are you concerned about random cookies your visitors are sending? This shouldn't affect performance.
http://httpremix.com
Worried about random cookies
Worried about random cookies because they are killing Varnish caching because anonymous users with cookies are being passed to the web layer.
The tld is .com for the client.
rework your vcl
I would rework the rules in your vcl file so it only passes the request to the backend if a certain set of cookies exist.
I have thought about doing
I have thought about doing that, but wonder why I would be the first to notice this issue and also why every VCL file example I have seen out there doesnt take this approach. It would require a pretty thorough audit to make sure we capture all the cookies required by our code, but definitely do-able.
Anyone else have other ideas?