Varnish cookbook session cookie handling #4628
Conversation
| If this headers are not set properly, Symfony will append the port where the | ||
| PHP application is running, e.g. ``8080``, when generating absolute URLs. | ||
|
|
||
| Session Cookies and Caching |
There was a problem hiding this comment.
this section is the only addition compared to #4627
| .. index:: | ||
| single: Varnish; configuration | ||
|
|
||
| Make Symfony Trust the Reverse Proxy |
| not. When you use the Symfony reverse proxy, you don't need to do anything. | ||
| But to make Varnish instead of Symfony resolve the ESI tags, you need some | ||
| configuration in Varnish. Symfony uses the ``Surrogate-Capability`` header | ||
| from the (`Edge Architecture`_) described by Akamai . |
There was a problem hiding this comment.
the only new section compared to #4627 in here is "Session Cookies and Caching"
but you are right that this is weird. i just reformatted this section, did not change the content. but will have another look into this.
There was a problem hiding this comment.
because it was there before. bad excuse. fixed.
| /* Force cache lookup for requests with cookies */ | ||
| return (lookup); | ||
| } | ||
| } |
There was a problem hiding this comment.
In practical terms, what should this mean to the user? I think it means that you're telling Varnish to yes be ok with caching requests that contain cookies. And so, as a user, you must be very careful to not rely on the session for any parts of your page where you return caching headers. If you violate this rule, then you will cache something with - for example - a user's username in it.
Is this about right? I want to walk the user through this as much as possible. For me, it seems that you should be (as you elude to here) identifying which portions of your page need the session, isolating them into non-cached ESI fragments, then caching the whole page (or doing a complete opposite strategy where you isolate non-session-needing heavy pieces, then don't cache the whole page).
The point is, this is non-trivial, so perhaps we need to walk them through a bit more tutorial-styled.
There was a problem hiding this comment.
Actually, I still mean everything I said, but most of what I said should be in the book. I still think we can add a few more details, like those I have in my first paragraph.
There was a problem hiding this comment.
i tried to make this more explicit, and also added a warning at the end of the section.
dbu
changed the title
|
|
||
| Be sure to test your setup. If you do not ``Vary`` content that depends on | ||
| the session, users will see content from somebody else. If you ``Vary`` too | ||
| much, the Varnish cache will be filled with duplicate content for every |
There was a problem hiding this comment.
i dont think we should suggest varying based on cookies. this is just useable if you vary on flags (Terms, Users Age, ...)
There was a problem hiding this comment.
i disagree. assume i have one url /_fragment/user/toolbar that renders the user name into every page. the rest of the content does not vary on cookie, but this one url does. and its embedded with ESI into every page. then we would want to cache this url as a variant for every single user to avoid reloading it all the time. once you log out, your session will be destroyed, meaning the session cookie changes and thus you don't see your username anymore.
obviously, you need to clean the cookie string for this to work, you don't want any js cookies irrelevant for the backend in here.
There was a problem hiding this comment.
you could also store the username in a cookie / localstorage or something else to print it. from my point of view storing user specific content in the reverse proxy can be a good idea but most time you should try to avoid it. people could think it's a good idea to mess up the cache with a Vary on the Cookie. This issue is hard to find for newbies because most times, if they test they use the same cookie. Why not creating a advanced cookbook where we explain how to cache based on Cookies (Javascript), Cookies + Vary (Varnish), Localstorage, ....
|
@timglabisch copied your comment from a line that was now changed:
the problem is that saying to cache even when there are cookies is pretty dangerous. but stripping all cookies including the session is a really good trick to break your knees... this somewhat touches #4661 - somebody could either expand that one or add a separate receipie to the cookbook. i do not plan to do that right now (its been a while that i even worked with a html frontend and varnish, currently i am caching APIs :-) ). so what do we do? should i just drop the bit about ESI and vary on cookie? or mention it in 5 words and let people wonder how it actually can be done? |
| @@ -60,6 +60,87 @@ If the ``X-Forwarded-Port`` header is not set correctly, Symfony will append | |||
| the port where the PHP application is running when generating absolute URLs, | |||
| e.g. ``http://example.com:8080/my/path``. | |||
|
|
|||
| Session Cookies and Caching | |||
There was a problem hiding this comment.
why not dropping the word "Session", it's for all Cookies.
|
my problem is that this PR suggests that using vary on the cookie header is the way to go. i would do a lot to avoid caching based on a user specific cookie, for me this is more like an antipattern that can work in some situations. Don't get me wrong, the PR provides a useable way, but i would like the reader to know that there are alternative ways to solve such problems. if the page could be cached based on a user specific cookie, most time it's not worth to be cached at all. if you're running a huge varnish cluster without stickiness you even can hurt the performance. I am 👍 with this PR but would love to see a hint that there are a lot of caching strategies with different advantages and disadvantages. |
| If content is not different for every user, but depends on the roles of a | ||
| user, a solution is to separate the cache per group. This pattern is | ||
| implemented and explained by the FOSHttpCacheBundle_ under the name | ||
| *User Context*. |
There was a problem hiding this comment.
what about linking directly to the relevant page of the bundle documentation ?
* link user context to relevant section of the doc * better explain what we achieve with cleaning the cookies
| start a session when actually needed, and clear the session when it is no | ||
| longer needed. Alternatively, you can look into :doc:`../cache/form_csrf_caching`. | ||
|
|
||
| .. todo link "only start a session when actually needed" to cookbook/session/avoid_session_start once https://github.com/symfony/symfony-docs/pull/4661 is merged |
There was a problem hiding this comment.
eliminated one of the TODOs . #4661 is still not merged, so i can't link to that. can we wrap those up?
There was a problem hiding this comment.
I think #4661 is kind of blocked because of the difficulty of the topic - you have 1 open question and 1 todo on that issue that I can't answer without some time to look into things.
As an aside, for me, this smells like a bug or missing feature in Symfony. I think the PR symfony/symfony#6388 or issue symfony/symfony#6036 need to be finally pushed along - the functionality just isn't right. Of course, that's an even bigger task.
There was a problem hiding this comment.
okay. can we get this PR merged then? looks like the session start issue is a potentially long story.
or do you not want todos in the doc code? should we create a new issue to remind us that when #4661 is merged we add a reference in this section of the doc.
|
Yep, we'll keep that todo in there for now. Thanks for giving these sections much-needed updates. Cheers! |
This PR was merged into the 2.3 branch. Discussion ---------- Varnish cookbook session cookie handling | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | #3881 This builds on top of #4627 but i wanted to keep it separate as there are open questions in here. Commits ------- b294b24 cleanup from feedback 7a4dafc remove part about vary on cookie c88ad32 explain how to work with cookies and sessions when caching
This builds on top of #4627 but i wanted to keep it separate as there are open questions in here.