Flask-Login sets a session cookie for anonymous requests making very difficult to use Varnish

[teleyinex]

Hi,

I'm trying to use Varnish to speed up my Flask application, and I've discovered that as soon as I load the Flask-Login extension (with the init method) all requests to the app create a cookie with the name session. This is problematic for Varnish because when a request has a cookie, Varnish moves it to the backend, converting Varnish in a cache only for static content (the other option is to use ESI or cache for every cookie).

I've tried to figure out where in your code you set up the cookie, but I cannot find it. Can you help me?

Cheers

[mkonecny]

How do you expect Flask-Login to work if it doesn't set a cookie?

[teleyinex]

I think I explained myself badly in the first place. I understand that a cookie is needed for registered users, but is it necessary for anonymous people? If you don't create an account at all, why Flask-Login creates a cookie? Is it for the current_user methods?

[maxcountryman]

It's necessary to see if there's a user id in the session prior to populating the context stack; yes.

[teleyinex]

OK, perfect! Now I get it. Thanks a lot for the information. Question: by any chance is that cookie for the anonymous user the same all the time? Because that will basically help to cache the views in Varnish per cookie (not really the best case scenario but much better than not caching anything).

Another option could be to identify the Cookie in a special way, so we can actually track it at Varnish. Do you think that could be a possibility?

[maxcountryman]

Question: by any chance is that cookie for the anonymous user the same all the time?

It should be in the session, so yes, assuming you're using the built-in Flask session infrastructure.

Another option could be to identify the Cookie in a special way, so we can actually track it at Varnish. Do you think that could be a possibility?

You should be able to identify the session cookie on the frontend, yes.

[teleyinex]

Thanks a lot for your helpful answers! I'll be trying to cache everything based on cookies then!

[mhammonds]

Same problem here regarding Flask-Login and Varnish.

I don't see why it's necessary to set a cookie for Anonymous users. The first connection from an unauthenticated user will never have a cookie, so clearly it isn't needed even for the current_user() functionality.

I think this ticket should be re-opened to add support for disabling anonymous login cookies. I'd be glad to participate in the development for this as it is a huge stumbling block for anyone looking to scale with Varnish.

[maxcountryman]

As always, PRs welcome.

[mhammonds]

Glad to hear that, Max. I'll explore the code a bit more and see if I can come up with something that will work out of the box for Varnish users. I've really enjoyed working with Flask-Login up to this point, so thanks for all the effort!