Stripping tracking cookies with Varnish

20 January 2014 - Post source at 🐙

This is an very old post, information in this post might not be up to date with the latest documentation/language features/package versions etc. If you ran into any issues please open an issue on this blog's GitHub Repository.

Stripping tracking cookies with Varnish

The otherday I was messing with Varnish to get caching up and running correctly. One simple tool helped with that, pointing out something this Varnish noob has missed out. The age for everything was 0. Tracking cookies where the cause of that.

varnish vcl file

Cookies

On my sites I use Google Analytics together with Piwik for visitor tracking. They set a few cookies:

Google Analytics:

__utma
__utmb
__utmc
__utmz

Piwik:

_pk_id
_pk_ses

Where it's not a whole lot, they trick Varnish into thinking they are relevant to the application and there for have to be removed.

Finding the right cookies

Finding the right cookies to block is easy but don't ignore what domain they are set on. Initially I included disqus_unique but quickly realized there was no need to as it's set on .disqus.com. Use your local webinspector that comes with your browser to figure out which to filter.

default.vcl

To strip the cookies from the request I used Lee's code (see references at the bottom of this post). This bit must be placed in vcl_recv to work correctly.

  # Remove Google Analytics and Piwik cookies everywhere
  if (req.http.Cookie) {
      set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(__[a-z]+|has_js)=[^;]*", "");
      set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(_pk_(ses|id)[\.a-z0-9]*)=[^;]*", "");
  }
  # Remove the cookie when it's empty
  if (req.http.Cookie == "") {
      remove req.http.Cookie;
  }

You can strip fully named cookies from the request, for example disqus_unique, with this:

set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(disqus_unique)=[^;]*", "");

Conclusion

Remove tracking and other uninteresting cookies for your application is easy. But it might take a moment to figure out what exactly has to be filtered. You don't want to remove your session cookie.

References

Give credit where credit is due:

Lee's Adventures in Varnish post yielded the cookie removal code as used above. It's an amazing post covering a lot more then just cookies, definitely worth to check out.
Another good piece of documentation on cookies is the Varnish wiki it self.

Categories: Google Analytics - Piwik - Cookies - Varnish