Browse files

feature #4628 Varnish cookbook session cookie handling (dbu)

This PR was merged into the 2.3 branch.


Varnish cookbook session cookie handling

| Q             | A
| ------------- | ---
| Doc fix?      | yes
| New docs?     | no
| Applies to    | all
| Fixed tickets | #3881

This builds on top of #4627 but i wanted to keep it separate as there are open questions in here.


b294b24 cleanup from feedback
7a4dafc remove part about vary on cookie
c88ad32 explain how to work with cookies and sessions when caching
  • Loading branch information...
weaverryan committed Jan 30, 2015
2 parents 3921d70 + b294b24 commit ad7416975bfca530b75bbebd29baa89eeeae5e51
Showing with 55 additions and 0 deletions.
  1. +2 −0 book/http_cache.rst
  2. +53 −0 cookbook/cache/varnish.rst
@@ -383,6 +383,8 @@ This has two very reasonable consequences:
blog post). Caching them would prevent certain requests from hitting and
mutating your application.
.. _http-cache-defaults:
Caching Rules and Defaults
@@ -60,6 +60,57 @@ If the ``X-Forwarded-Port`` header is not set correctly, Symfony will append
the port where the PHP application is running when generating absolute URLs,
e.g. ````.
Cookies and Caching
By default, a sane caching proxy does not cache anything when a request is sent
with :ref:`cookies or a basic authentication header<http-cache-introduction>`.
This is because the content of the page is supposed to depend on the cookie
value or authentication header.
If you know for sure that the backend never uses sessions or basic
authentication, have varnish remove the corresponding header from requests to
prevent clients from bypassing the cache. In practice, you will need sessions
at least for some parts of the site, e.g. when using forms with
:ref:`CSRF Protection <forms-csrf>`. In this situation, make sure to only
start a session when actually needed, and clear the session when it is no
longer needed. Alternatively, you can look into :doc:`../cache/form_csrf_caching`.
.. todo link "only start a session when actually needed" to cookbook/session/avoid_session_start once is merged
Cookies created in Javascript and used only in the frontend, e.g. when using
Google analytics are nonetheless sent to the server. These cookies are not
relevant for the backend and should not affect the caching decision. Configure
your Varnish cache to `clean the cookies header`_. You want to keep the
session cookie, if there is one, and get rid of all other cookies so that pages
are cached if there is no active session. Unless you changed the default
configuration of PHP, your session cookie has the name PHPSESSID:
.. code-block:: varnish4
sub vcl_recv {
// Remove all cookies except the session ID.
if (req.http.Cookie) {
set req.http.Cookie = ";" + req.http.Cookie;
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
if (req.http.Cookie == "") {
// If there are no more cookies, remove the header to get page cached.
remove req.http.Cookie;
.. tip::
If content is not different for every user, but depends on the roles of a
user, a solution is to separate the cache per group. This pattern is
implemented and explained by the FOSHttpCacheBundle_ under the name
`User Context`_.
Ensure Consistent Caching Behaviour
@@ -176,8 +227,10 @@ proxy before it has expired, it adds complexity to your caching setup.
.. _`Varnish`:
.. _`Edge Architecture`:
.. _`GZIP and Varnish`:
.. _`Clean the cookies header`:
.. _`Surrogate-Capability Header`:
.. _`cache invalidation`:
.. _`FOSHttpCacheBundle`:
.. _`default.vcl`:
.. _`builtin.vcl`:
.. _`User Context`:

0 comments on commit ad74169

Please sign in to comment.