This feature is available from eZ Publish 5.2 / 2013.07
Workflow
- Reverse proxy receives the HTTP request (without the user hash).
Reverse proxy does a sub-request (emulated in the case of HttpCache).
Sub-request must have the following headers:
X-HTTP-Override: AUTHENTICATEAccept: application/vnd.ez.UserHash+text- Original cookie (mainly to keep trace of the sessionId)
eZ Publish returns an HTTP response containing the user hash in
X-User-Hashheader.Reverse proxy adds the
X-User-Hashheader to the original request.
Note on performance
User hash is not generated for each AUTHENTICATE request. It is cached using the Cookie header string as key.
Hence each user has its own hash, generated once per session.
Hash generation being based by default on roles and limitations, a user can share the same hash with another one if their profile are similar. This is precisely what offers the possibility to share HTTP cache between several logged-in users.
Tip
You can customize user hash generation. Read How to customize UserHash generation in the developer cookbook to learn more about this.
Varnish
Described behavior comes out of the box with Symfony reverse proxy, but it's of course possible ot use Varnish to achieve the same.
This can be done thanks to Varnish Curl vmod.
Securing hash generation request
By default, hash generation requests are granted for localhost (127.0.0.1, ::1, fe80::1).
If you want to enlarge the scope (e.g. if your Varnish server is not running on the same machine), you can override canGenerateUserHash() protected method in your main kernel class (mostly EzPublishKernel).