In case you’ve installed Varnish but not Pressflow (for Drupal 6), following scenario may happen:
- User A logs is, gets sessionid A
- User A changes something and loads a new page
- While loading the new page, a js or css-file is being downloaded from Varnish (example: /sites/default/files/js/js_79eb17289b3a88ec931b6f4bdb728282.js)
- The next file that is being downloaded is a jpg. This file doesn’t come from the Varnish cache and gives a new sessionid to the user (sessionid B)
- The requested page is being served correctly because it was requested with sessionid A. The user is unaware that he has a new sessionid because it happened during the loading of the page elements.
- The user clicks on another page and sends a new request with sessionid B.
- Drupal checks sessionid B and sees that it the session belongs to an anonymous user. Result: the user gets an “Access Denied” and is logged out.
Solution: install Pressflow. It will stop giving sessionids to the client.
(this post only applies if you have installed Varnish)