nginx cache cookies issue

nginx cache fastcgi

The following is quite dangerous:

fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

With the Set-Cookie in the values, you're effectively allowing to cache someone's login request. You need to either hide it from response via fastcgi_hide_header (which would break login feature, if not done correctly) or use fastcgi_ignore_headers Cache-Control Expires; (which would break caching altogether, if you have a "bad" app, see below).

It is best to identify your "login location" (e.g. POST /login) and essentially create 2 cache configurations:

  1. Login location. Neither fastcgi_ignore_headers nor fastcgi_hide_header are required. Do not include them.

  2. Other pages location. This is required if your app unnecessarily starts session (sends Set-Cookie) for any page; quite many do.

    fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_hide_header Set-Cookie;

... and just as a bonus. NGINX is all great, but Varnish is quite flexible about manipulating both sets of client and upstream headers, e.g.:

sub vcl_recv {
    if (req.http.cookie !~ "mainsite") {
        unset req.http.cookie;
    }
}
sub vcl_backend_response {
    if (beresp.http.Set-Cookie && bereq.url != "/login") {
        unset beresp.http.set-cookie;
    }
}

Related

Google VM - Command not found | SOLVED
Is it possible to replace the SATA CD-ROM to SATA SSD on HP DL360p Gen8?
Java Byte Array to String to Byte Array
How to use XMLReader in PHP?
Fastest way to write huge data in text file Java
How can I simulate OO-style polymorphism in C?
Does Haskell have tail-recursive optimization?
how to get GET and POST variables with JQuery?
How can I get the URL of the current tab from a Google Chrome extension?
Oracle Differences between NVL and Coalesce
How do you include additional files using VS2010 web deployment packages?
Long Press in JavaScript?