Excessive, duplicate cookies cause varnish errors

Created on 26 June 2025, 7 days ago

Problem/Motivation

For certain users, an excessive number of "Set-Cookie: apbct_admin_logged_in=...." headers are being sent causing varnish to choke and return a 503 Backend fetch failed error when trying to log in.

Steps to reproduce

This is difficult to reproduce due to the need to bypass varnish. I was able to do so by using "drush uli" to generate a login link for the user and then using curl to retrieve that page into a file using the internal IP address of the server. In my case, there were 120 duplicate Set-Cookie headers in the resulting file.

In sites that don't use varnish, it may be a simple matter of using browser developer tools to review the response from the server when logging in. However, developer tools may consolidate duplicate cookies into one so it may still be necessary to use curl to see the raw data returned by the server.

Proposed resolution

Cookies are set in apbct_setcookie() in CleantalkFuncs.php. I propose that this method be modified to keep track of all cookies that are set and return without setting a cookie that has already been set previously (with the same value). I am attaching a patch that accomplishes this.

Remaining tasks

  • Review proposal and decide if you agree
  • Review/test patch

Alternatively, it might be a good idea to determine why so many cookies are being set in the first place and determine if there is a different fix needed to prevent this.

🐛 Bug report
Status

Active

Version

9.6

Component

Code

Created by

🇺🇸United States cobblestone.consulting

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024