Nginx fastcgi_cache hide Set-Cookie when serving from cache

Question

I'm trying to use nginx fastcgi_cache to serve some pages from my site, it worked fine but I found that sessions were being duplicated to all the users because Set-Cookie was cached in the response.

I've tried several solutions, but I don't want to disable cookies in those pages, only to ignore them when serving from cache. Is there any way to do this? I've considered moving to varnish but I have several sites in the same server and I'd like to avoid it.

I've also tried this, but no success

fastcgi_cache_path /etc/nginx/cache/iteramos levels=1:2 keys_zone=ITERAMOS:120m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

set $supercache_uri $request_uri;
set $no_cache 1;

#set no cache to 0 (do cache) if we are in listing pages
if ($supercache_uri ~ ^/(preguntas|etiquetada|etiquetas)$) {
    set $no_cache 0;
    set $supercache_uri '';
}
if ($supercache_uri = /) {
    set $no_cache 0;
    set $supercache_uri '';
}

if ($supercache_uri ~ ^/?page= ) {
    set $no_cache 0;
    set $supercache_uri '';
}

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
    fastcgi_cache ITERAMOS;
    fastcgi_cache_valid 200 60m;
    #this header adds a hit / bypass / miss header
    fastcgi_cache_use_stale error timeout;
    add_header X-Cache $upstream_cache_status;
    fastcgi_cache_bypass $no_cache;
    fastcgi_no_cache $no_cache;
}

Thanks in advance

score 1 · Answer 1 · edited Aug 19 '15 at 14:37

1

Try to use fastcgi_hide_header:

fastcgi_hide_header "Set-Cookie";

This will hide all cookies when the request hits cache. official docs

edited Aug 19 '15 at 14:37

chicks

3,793
10
27
36

answered Aug 19 '15 at 13:05

Michael

19
2

2

i am facing a similar problem. On using this line, nginx is ignoring Set-Cookie in all pages. I have put it in `location ~ \.php$` block. When i try to set it in an if block where i set $no_cache 0, inside `location ~ \.php$` block, i get the error that it is not allowed there. can you help? – Archit Saxena Jun 29 '17 at 08:26
I'm in need of the same -- to hide header only on cached pages, and getting the error @ArchitSaxena mentioned. Any updates by chance on a solution? – ctrlbrk Oct 28 '18 at 03:27
In the end I stopped caching at all if the user had the login cookie, like this: if ($http_cookie ~ "cartalyst_sentry") { set $no_cache 1; set $cache_rewrite 0; } – SkarXa Oct 31 '18 at 07:40

score 0 · Answer 2 · answered Dec 19 '19 at 14:37

The following solution sends the desired header when the response is from backend, and then it hides it, if response is from cache. The example shown will hide all cookies from cached responses.

You will need Lua module. On Debian 10 I installed apt-get install libnginx-mod-http-lua.

map $upstream_bytes_received $hide_cookie {
   default '';
   '' Set-Cookie;
}

Inside location:

header_filter_by_lua_block {
   ngx.header[ngx.var.hide_cookie] = nil;
}

More explanation, other options without Lua, and explanation of why I needed Lua (to use variables) here: https://stackoverflow.com/a/59383747/4932239

Nginx fastcgi_cache hide Set-Cookie when serving from cache

2 Answers2

Linked