Hello,
I’ve found that Trellis sets these configuration values for NGINX when caching in enabled:
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
These lines instruct NGINX to cache response even if they include Set-Cookie
header (such responses would not be cached by default). At the same time Set-Cookie
and Cookie
are passed to the client.
I’m wondering if this is safe. E.g. WooCommerce sets wp_woocommerce_session
cookie. It can also set woocommerce_recently_viewed
on every product view. Aren’t we then running risk of
serving all your visitors the cookies that were generated for the first user who requested the resource ?
This issue was mentioned in the discussion at SO (NGINX caching and cookies).