How to debug if session id cookie goes through proxy cache

Run curl command direct from you server, where application run - in my case local app is running on localhost and standard port 80 so I use http://localhost and set your app domain in Host, in my case www.recepty.eu

/var/www/html #  curl -I -H "Host: www.recepty.eu" http://localhost
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: sessionid=8e2gcbhge33vhciogdddhbpnqs; path=/; secure; HttpOnly; SameSite=lax
Cache-Control: max-age=0, must-revalidate, private, s-maxage=600
Date: Fri, 21 Feb 2020 09:30:40 GMT
Link: <http://127.0.0.1:8080/build/runtime.js>; rel="preload"; as="script",<http://127.0.0.1:8080/build/base.js>; rel="preload"; as="script",<http://127.0.0.1:8080/build/base.css>; rel="preload"; as="style",<http://127.0.0.1:8080/build/recipe.css>; rel="preload"; as="style"
Expires: Fri, 21 Feb 2020 09:30:40 GMT

You will see Set-Cookie header.

Copy sessionid=8e2gcbhge33vhciogdddhbpnqs; and run another curl, but add cookie param to it and you will see, that Set-Cookie header will disappear. So your local environment working fine.

curl -I -H "Host: www.recepty.eu" -H "cookie: sessionid=8e2gcbhge33vhciogdddhbpnqs;" http://localhost

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private, s-maxage=600
Date: Fri, 21 Feb 2020 09:34:40 GMT
Link: <http://127.0.0.1:8080/build/runtime.js>; rel="preload"; as="script",<http://127.0.0.1:8080/build/base.js>; rel="preload"; as="script",<http://127.0.0.1:8080/build/base.css>; rel="preload"; as="style",<http://127.0.0.1:8080/build/recipe.css>; rel="preload"; as="style"
Expires: Fri, 21 Feb 2020 09:34:40 GMT

If you will see another Set-Cookie header. You app session handling is broken so it is not problem on proxy caching server.

Broken reasons:

  • you app scale is 2+ and you are not using shared session storage (you can use redis instead of filesystem)
  • session directory on your filesystem is not writable

Debug through proxy cache

Instead of http://localhost use your server domain that goes through proxy cache. In my case https://www.recepty.eu

curl -I -H "Host: www.recepty.eu" https://www.recepty.eu

HTTP/2 200
age: 0
cache-control: max-age=0, must-revalidate, no-cache, no-store
content-encoding: gzip
content-type: text/html; charset=UTF-8
date: Fri, 21 Feb 2020 09:41:35 GMT
display: pub_site_sol
expires: Thu, 20 Feb 2020 09:41:35 GMT
link: </build/runtime.ed3c6480.js>; rel="preload"; as="script",</build/base.404c647b.js>; rel="preload"; as="script",</build/base.e416f602.css>; rel="preload"; as="style",</build/recipe.ef310f77.css>; rel="preload"; as="style"
pagespeed: off
response: 200
server: nginx/1.16.0
set-cookie: sessionid=tq7jlr8bil1lpj5vu2afuexxx; path=/; secure; HttpOnly; SameSite=lax
strict-transport-security: max-age=15724800; includeSubDomains
vary: Accept-Encoding,X-APP-JSON
via: 1.1 varnish (Varnish/6.0)
x-vcache: Miss
content-length: 28207

Copy sessionid=tq7jlr8bil1lpj5vu2afuexxx and run command with -H "cookie: sessionid=tq7jlr8bil1lpj5vu2afuexxx;".

If you will not see set-cookie header, your proxy configuration is broken. You should whitelist your sessionid or PHPSESSID in your proxy cache config.

If set-cookie will disappear, your proxy cache is ok.

curl -I -H "Host: www.recepty.eu" -H "cookie: sessionid=tq7jlr8bil1lpj5vu2afuexxx;" https://www.recepty.eu

HTTP/2 200
age: 0
cache-control: max-age=0, must-revalidate, no-cache, no-store
content-encoding: gzip
content-type: text/html; charset=UTF-8
date: Fri, 21 Feb 2020 09:44:01 GMT
expires: Thu, 20 Feb 2020 09:44:01 GMT
link: </build/runtime.ed3c6480.js>; rel="preload"; as="script",</build/base.404c647b.js>; rel="preload"; as="script",</build/base.e416f602.css>; rel="preload"; as="style",</build/recipe.ef310f77.css>; rel="preload"; as="style"
pagespeed: off
response: 200
server: nginx/1.16.0
strict-transport-security: max-age=15724800; includeSubDomains
vary: Accept-Encoding,X-APP-JSON
via: 1.1 varnish (Varnish/6.0)
x-vcache: Miss
content-length: 28359