Details
-
Bug
-
Resolution: Fixed
-
High
-
None
-
None
-
None
Description
When using a reverse proxy (as Varnish), we want to be able to control how eZ Publish creates cookie, in order to tell Varnish to cache or not.
When the session lazystart has been implemented, I think that many parts of the kernel have not been patched correctly.
For example :
- wget -S -O /dev/null http://mysite/user/register
<..>
Set-Cookie: eZSESSID<hash>=<hash>; path=/
This is caused by a call to eZHTTPTool::hasSessionVariable() without the 2nd parameter set to false, in order to NOT autostart a session.
Another problem lies in eZUser::logoutCurrent() :
- eZSession::regenerate();
which regenerate a session, thus sending a new eZSESSID cookie, which seems plain wrong when we want to logout in the session lazystart scenario.
Many parts of the kernel (and by copy/pasting many of our own extensions) are affected by this "issue" and I would like to have your point of view, to have a well set-up Varnish-proof eZPublish.