i use varnish for my website and it is sometime caching login credentials and serving it to others

my website is a classified website and i am using varnish for my website and it cached login credentials and servers it to other users, so i had a big security problem but after searching googles and added the hash entries now it is not caching login credential. but now i am noticing that some times theses logged in pages are cached and servered to other users and they are logged in to others account and posting their post in other login. sometimes deleting original account holder post and posting their post.

below is my vlc configuration

/*
*
* First, set up a backend to answer the request if there's not a cache hit.
*
*/
backend default {

    # Set a host.
    .host = "xx.xx.xx.xx";

    # Set a port. 80 is normal Web traffic.
    .port = "xx";
}
/*
*
* Next, configure the "receive" subroutine.
*
*/
include "devicedetect.vcl";
sub vcl_recv {
    call devicedetect;
    # Use the backend we set up above to answer the request if it's not cached.
    set req.backend = default;

    if (req.url ~ "^/user/login" ||
        req.url ~ "^/oc-admin" ||
        req.url ~ "^/item/new" ||
        req.url ~ "^/user/login" ||
        req.url ~ "^/user/dashboard" ||
        req.url ~ "^/user" ||
        req.url ~ "^/renew-option" ||
        req.request == "POST")
    {
        return (pass);
    }
    # Pass the request along to lookup to see if it's in the cache.
    return(lookup);
}
/*
*
* Next, let's set up the subroutine to deal with cache misses.
*
*/
sub vcl_miss {

    # We're not doing anything fancy. Just pass the request along to the
    # subroutine which will fetch something from the backend.
    return(fetch);
}
/*
*
* Now, let's set up a subroutine to deal with cache hits.
*
*/
sub vcl_hit {

    # Again, nothing fancy. Just pass the request along to the subroutine
    # which will deliver a result from the cache.
    return(deliver);
}
/*
*
* This is the subroutine which will fetch a response from the backend.
* It's pretty fancy because this is where the basic logic for caching is set.
*
*/
sub vcl_fetch {
     if (req.http.X-UA-Device) {
            if (!beresp.http.Vary) { # no Vary at all
                set beresp.http.Vary = "X-UA-Device";
            } elseif (beresp.http.Vary !~ "X-UA-Device") { # add to existing Vary
                set beresp.http.Vary = beresp.http.Vary + ", X-UA-Device";
            }
        }
    # Get the response. Set the cache lifetime of the response to 1 hour.
    set beresp.ttl = 1h;

    # Indicate that this response is cacheable. This is important.
    set beresp.http.X-Cacheable = "YES";

    # Some backends *cough* Django *cough* will assign a Vary header for
    # each User-Agent which visits the site. Varnish will store a separate
    # copy of the page in the cache for each instance of the Vary header --
    # one for each User-Agent which visits the site. This is bad. So we're
    # going to strip away the Vary header.
   # unset beresp.http.Vary;

    # Now pass this backend response along to the cache to be stored and served.
    return(deliver);
}
/*
*
* Finally, let's set up a subroutine which will deliver a response to the client.
*
*/
sub vcl_hash {
    hash_data(req.http.cookie);
}
sub vcl_deliver {

    # Nothing fancy. Just deliver the goods.
    # Note: Both cache hits and cache misses will use this subroutine.
    return(deliver);
}

Code (markup):

after adding the below mentioned value logins are cached but sometimes it is caching and serving to others...

sub vcl_hash {
    hash_data(req.http.cookie);
}

Code (markup):

please help me to solve it , it is urgent

 

any varnish experts , please give me a hint

 

Are you running a VPS/Dedicated server? Are you using cPanel? Please get back to me and I am sure I can help you get this resolved.

 

i am running a vps ............. thanks for your reply

 

And you are going to KEEP USING a script that PUBLICIZES PRIVATE INFORMATION? Tell me the name of your site so I can put it in my list of BANNED sites.

 

@mmerlinn
my website name is google.com

please add it in your list....

if you cant help the unknown, dont comment about it and wasting the time of one who is having similar problem and looking for solution.

 

Why in hell should anyone help a LIAR? Unknowns BY DEFINITION are UNKNOWN and therefore there is NO SOLUTION, so by your OWN ADMISSION you are looking for an IMPOSSIBLE solution and WASTING EVERYONE'S TIME.

 

https://serverfault.com/questions/646422/varnish-is-caching-logged-in-users-pages-and-serving-those-pages

there is solution from expert for the same kind of problem from experts but i am not that much expertise to understand the solution. so i am looking for the expert advice to sort it out....

i can clearly see you are not that expert so you keep out of this hell, so the real expert help me if they have time,
so you move to your hell and keep out of this

 

If there is a solution on ServerFault, but you can't understand it, and need an expert, pay an expert to fix it for you. Don't expect experts to aid you for free. The solution presented in the ServerFault thread didn't seem very complicated (minor change in the files), and if you can't do it, then you might not be the right person to run the site (sorry to say).

 

hi popsicle , i have made those changes but even though after it i feel like sometime say for example if a user post an ad for about a car and in this same account a different category a work from home job is being posted and it is not possible....so i have doubt that the logged in pages are sometime cached so i want to clarify with an expert and i am ready to pay . no problem in that.

i accept i am new to varnish will try to solve orelse i remove varnish from my website.

anyway thanks for your support popsicle

 

You might want to use Varnish for everything else than logged-in (admin) pages. Ie, do not use Varnish for the update post-pages, add new item, and so on, but use them for user-profiles, already posted items, and such? That might be a better way to make sure that only static, or semi-static content is being cached.

 

yes i have implemented like you said but i may have missed something, i will do some test and report back