@@ -67,24 +67,29 @@ at least for some parts of the site, e.g. when using forms with
6767and clear the session when it is no longer needed. Alternatively, you can look
6868into :ref: `caching pages that contain CSRF protected forms <caching-pages-that-contain-csrf-protected-forms >`.
6969
70- Cookies created in JavaScript and used only in the frontend, e.g. when using
71- Google Analytics, are nonetheless sent to the server. These cookies are not
72- relevant for the backend and should not affect the caching decision. Configure
73- your Varnish cache to `clean the cookies header `_. You want to keep the
74- session cookie, if there is one, and get rid of all other cookies so that pages
75- are cached if there is no active session. Unless you changed the default
76- configuration of PHP, your session cookie has the name ``PHPSESSID ``:
70+ Cookies created in JavaScript and used only on the frontend, such as those from
71+ Google Analytics, are still sent to the server. These cookies are not relevant
72+ for backend processing and should not influence the caching logic. To ensure
73+ this, configure your Varnish cache to `clean the cookies header `_ by retaining
74+ only essential cookies (e.g., session cookies) and removing all others. This
75+ allows pages to be cached when there is no active session.
76+
77+ If you are using PHP with its default configuration, the session cookie is
78+ typically named ``PHPSESSID ``. Additionally, if your application depends on other
79+ critical cookies, such as a ``REMEMBERME `` cookie for :doc: `remember me </security/remember_me >`
80+ functionality or a trusted device cookie for two-factor authentication, these
81+ cookies should also be preserved.
7782
7883.. configuration-block ::
7984
8085 .. code-block :: varnish4
8186
8287 sub vcl_recv {
83- // Remove all cookies except the session ID .
88+ // Remove all cookies except for essential ones .
8489 if (req.http.Cookie) {
8590 set req.http.Cookie = ";" + req.http.Cookie;
8691 set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
87- set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
92+ set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID|REMEMBERME )=", "; \1=");
8893 set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
8994 set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
9095
@@ -98,11 +103,11 @@ configuration of PHP, your session cookie has the name ``PHPSESSID``:
98103code-block :: varnish3
99104
100105 sub vcl_recv {
101- // Remove all cookies except the session ID .
106+ // Remove all cookies except for essential ones .
102107 if (req.http.Cookie) {
103108 set req.http.Cookie = ";" + req.http.Cookie;
104109 set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
105- set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
110+ set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID|REMEMBERME )=", "; \1=");
106111 set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
107112 set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
108113
0 commit comments