From 54b7427368922fa0787aafb70ebd01de58408c7b Mon Sep 17 00:00:00 2001
From: ddtraceweb <david.djian@traceweb.fr>
Date: Fri, 19 Dec 2014 23:17:58 +0100
Subject: [PATCH] fix bug eZSESSID hijacking

fix bug eZSESSID hijacking
---
 doc/varnish/vcl/varnish3.vcl | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/varnish/vcl/varnish3.vcl b/doc/varnish/vcl/varnish3.vcl
index 42cd8deb..59dc3e96 100644
--- a/doc/varnish/vcl/varnish3.vcl
+++ b/doc/varnish/vcl/varnish3.vcl
@@ -89,6 +89,12 @@ sub vcl_fetch {
     ) {
         error 503 "Hash error";
     }
+    
+    //secure eZSESSID generate
+    if (beresp.ttl <= 0s || beresp.http.Set-Cookie || beresp.http.Vary == "*") {
+    	set beresp.ttl = 120 s;
+     	return (hit_for_pass);
+    }
 
     // Optimize to only parse the Response contents from Symfony
     if (beresp.http.Surrogate-Control ~ "ESI/1.0") {