You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR was merged into the 2.3 branch.
Discussion
----------
Varnish cookbook session cookie handling
| Q | A
| ------------- | ---
| Doc fix? | yes
| New docs? | no
| Applies to | all
| Fixed tickets | #3881
This builds on top of #4627 but i wanted to keep it separate as there are open questions in here.
Commits
-------
b294b24 cleanup from feedback
7a4dafc remove part about vary on cookie
c88ad32 explain how to work with cookies and sessions when caching
Copy file name to clipboardExpand all lines: cookbook/cache/varnish.rst
+53
Original file line number
Diff line number
Diff line change
@@ -60,6 +60,57 @@ If the ``X-Forwarded-Port`` header is not set correctly, Symfony will append
60
60
the port where the PHP application is running when generating absolute URLs,
61
61
e.g. ``http://example.com:8080/my/path``.
62
62
63
+
Cookies and Caching
64
+
-------------------
65
+
66
+
By default, a sane caching proxy does not cache anything when a request is sent
67
+
with :ref:`cookies or a basic authentication header<http-cache-introduction>`.
68
+
This is because the content of the page is supposed to depend on the cookie
69
+
value or authentication header.
70
+
71
+
If you know for sure that the backend never uses sessions or basic
72
+
authentication, have varnish remove the corresponding header from requests to
73
+
prevent clients from bypassing the cache. In practice, you will need sessions
74
+
at least for some parts of the site, e.g. when using forms with
75
+
:ref:`CSRF Protection <forms-csrf>`. In this situation, make sure to only
76
+
start a session when actually needed, and clear the session when it is no
77
+
longer needed. Alternatively, you can look into :doc:`../cache/form_csrf_caching`.
78
+
79
+
.. todo link "only start a session when actually needed" to cookbook/session/avoid_session_start once https://github.com/symfony/symfony-docs/pull/4661 is merged
80
+
81
+
Cookies created in Javascript and used only in the frontend, e.g. when using
82
+
Google analytics are nonetheless sent to the server. These cookies are not
83
+
relevant for the backend and should not affect the caching decision. Configure
84
+
your Varnish cache to `clean the cookies header`_. You want to keep the
85
+
session cookie, if there is one, and get rid of all other cookies so that pages
86
+
are cached if there is no active session. Unless you changed the default
87
+
configuration of PHP, your session cookie has the name PHPSESSID:
88
+
89
+
.. code-block:: varnish4
90
+
91
+
sub vcl_recv {
92
+
// Remove all cookies except the session ID.
93
+
if (req.http.Cookie) {
94
+
set req.http.Cookie = ";" + req.http.Cookie;
95
+
set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
96
+
set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
97
+
set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
98
+
set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
99
+
100
+
if (req.http.Cookie == "") {
101
+
// If there are no more cookies, remove the header to get page cached.
102
+
remove req.http.Cookie;
103
+
}
104
+
}
105
+
}
106
+
107
+
.. tip::
108
+
109
+
If content is not different for every user, but depends on the roles of a
110
+
user, a solution is to separate the cache per group. This pattern is
111
+
implemented and explained by the FOSHttpCacheBundle_ under the name
112
+
`User Context`_.
113
+
63
114
Ensure Consistent Caching Behaviour
64
115
-----------------------------------
65
116
@@ -176,8 +227,10 @@ proxy before it has expired, it adds complexity to your caching setup.
0 commit comments