View Issue Details

IDProjectCategoryView StatusLast Update
0006212OXID eShop (all versions)4.08. Cachepublic2016-01-15 13:26
Reporterhendrikfreytag Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.9.5 / 5.2.5 
Fixed in Version4.9.7 / 5.2.7 
Summary0006212: Problems with deleting unimportant cookies in varnish 4
DescriptionVarnish version: 4.0.3

Varnish uses ',' as separator for cookies. But if there is an expires cookie is has also a ',' in it (e.g. Thu,01-Jan-1970 00:00:01). So varnish thinks that should be separated.
Steps To ReproduceTo get a cookie that makes problems you can e.g. add following lines in application/controllers/details.php at the beginning of the render function:

$oHistoryArtList = oxNew('oxarticlelist');
$oHistoryArtList->loadHistoryArticles($sOxid, $iCnt);
Additional InformationIn varnishlog you will get something like that:
- BerespUnset Set-Cookie: language=0; path=/; httponly, language=0; path=/; httponly, aHistoryArticles=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespHeader Set-Cookie: language=0; path=/; httponly, language=0; path=/; httponly, aHistoryArticles=deleted; expires=Thu,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespUnset Set-Cookie: language=0; path=/; httponly, language=0; path=/; httponly, aHistoryArticles=deleted; expires=Thu,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespHeader Set-Cookie: language=0; path=/; httponly, language=0; path=/; httponly, aHistoryArticles=deleted; expires=Thu,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespUnset Set-Cookie: language=0; path=/; httponly, language=0; path=/; httponly, aHistoryArticles=deleted; expires=Thu,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespHeader Set-Cookie: language=0; path=/; httponly, language=0; path=/; httponly, aHistoryArticles=deleted; expires=Thu,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespUnset Set-Cookie: language=0; path=/; httponly, language=0; path=/; httponly, aHistoryArticles=deleted; expires=Thu,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespHeader Set-Cookie: , , ,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespUnset Set-Cookie: , , ,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespHeader Set-Cookie: , , ,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespUnset Set-Cookie: , , ,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespHeader Set-Cookie: ,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespUnset Set-Cookie: ,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- BerespHeader Set-Cookie: ,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly
- ObjHeader Set-Cookie: ,01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; httponly

So you can see the cookies are not correct removed.
TagsSolution Provided, Varnish
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined

Activities

michael_keiluweit

2015-09-10 13:45

administrator   ~0011214

Last edited: 2015-09-10 13:46

Extracted from a Skype Chat with Saulius:


Michael Keiluweit: oxClearCookiesByWhitelistRecv
# Setting to all cookies that are in white list "@" sign before param name.

so cookies on the whitelist are getting a @ sign therefore they will not be deleted later.
But I detected, that some admin area cookies are still there, after the cleaning.
I guess one will not be deleted because it has an @sign in its content:
setOxCookie("oxidadminprofile", $sProfile . "@" . implode("@", $aProfiles[$sProfile]),
but this effects only admin user as normal customers doesn't get such an cookie
the other cookie is admin_sid, it will not be deleted, too. But I have no idea why.
I made a debug output to see what is going on in the function:

@sid_key=oxid; showlinksonce=1; oxidadminprofile=0%40Standard%4010; oxidadminlanguage=en; @oxid_3=michael.keiluweit%40oxid-esales.com%40%40%405aNXR3tx1l.mA; @oxid_3_autologin=1; oxidadminhistory=%7Cadmin_start%7Cnavigation%7Carticle%7Cshop%7Cadmin_user; admin_sid=adejl74pop7po8ic1ci8dugoi6; language=0; @oxid_9=michael.keiluweit%40oxid-esales.com%40%40%405aNXR3tx1l.mA; @oxid_9_autologin=1; oxenv_key=7ecbdfb42d888f25bca55e72fc7af409; @oxid_10=michael.keiluweit%40oxid-esales.com%40%40%405aNXR3tx1l.mA; @oxid_10_autologin=1; sid=tiqtobgq7074mbt9hjs3dj8ci4

You see that the cookies which are on the whiltelist are marked.
The following string is the result after the cleaning:
sid_key=oxid; oxidadminprofile=0%40Standard%4010; oxid_3=michael.keiluweit%40oxid-esales.com%40%40%405aNXR3tx1l.mA; oxid_3_autologin=1; admin_sid=adejl74pop7po8ic1ci8dugoi6; oxid_9=michael.keiluweit%40oxid-esales.com%40%40%405aNXR3tx1l.mA; oxid_9_autologin=1; oxid_10=michael.keiluweit%40oxid-esales.com%40%40%405aNXR3tx1l.mA; oxid_10_autologin=1


Michael Keiluweit: as I said, because it effects only the admin users, it is more or less important. But it should be known that there could be an issue in the future.