I’ve found that Trellis sets these configuration values for NGINX when caching in enabled:
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
These lines instruct NGINX to cache response even if they include
Set-Cookie header (such responses would not be cached by default). At the same time
Cookie are passed to the client.
I’m wondering if this is safe. E.g. WooCommerce sets
wp_woocommerce_session cookie. It can also set
woocommerce_recently_viewed on every product view. Aren’t we then running risk of
serving all your visitors the cookies that were generated for the first user who requested the resource ?
This issue was mentioned in the discussion at SO (NGINX caching and cookies).