Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73127

Prevent session cookie caching in cdn's varnish cloudfront etc

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • Future Dev
    • None
    • Caching, Performance

    Description

      Most CDN's do request coalescing and so you need to tell the cache to never store any cached response that contain cookies, they should be stripped out before they are stored. Current we (catalyst au) do this with varnish config but I think it's possible to move this into extra Cache-control headers that in theory should be honored by any cache or cdn layer.

      Some docs:

      https://info.varnish-software.com/blog/hit-for-pass-varnish-cache

      If you want to receive cookies at your origin but you don't want CloudFront to cache the Set-Cookie headers in your origin's responses, configure your origin to add a Cache-Control header with a no-cache directive that specifies Set-Cookie as a field name. For example: Cache-Control: no-cache="Set-Cookie". For more information, see Response Cache-Control Directives in the Hypertext Transfer Protocol (HTTP/1.1): Caching standard.

      https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

      Docs for Cache-Control specifically around stripping headers:

      https://datatracker.ietf.org/doc/html/rfc7234#section-5.2.2.2

       

      So I not 100% but I think we can do something like:

      1) whenever we set a new cookie, ensure that we also send a header saying that should be stripped out

      Cache-Control: no-cache="Set-Cookie"

      2) I'm fairly sure it is valid that we can send multiple Cache-Control headers which means we can split this logic out and send this header just in the very small number of places where we set a cookie, and not in the large number of other places which set other Cache-Control headers which would be near impossible to fully track down in core and all plugins.

      See https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            brendanheywood Brendan Heywood
            Matteo Scaramuccia, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona), Matteo Scaramuccia, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated: