NGINX caching configuration in Trellis

Hello,

I’ve found that Trellis sets these configuration values for NGINX when caching in enabled:

fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;

These lines instruct NGINX to cache response even if they include Set-Cookie header (such responses would not be cached by default). At the same time Set-Cookie and Cookie are passed to the client.

I’m wondering if this is safe. E.g. WooCommerce sets wp_woocommerce_session cookie. It can also set woocommerce_recently_viewed on every product view. Aren’t we then running risk of

serving all your visitors the cookies that were generated for the first user who requested the resource ?

This issue was mentioned in the discussion at SO (NGINX caching and cookies).

Those 3 settings are set globally regardless if caching is disabled or not.

Trellis includes a setting for skipping certain cookies: https://github.com/roots/trellis/blob/3f6f4c155c9cc177b746be45cd33a1bf4506033a/roles/wordpress-setup/templates/wordpress-site.conf.j2#L62-L65

On https://roots.io for example, we customize that to add on a cookie name for Easy Digital Downloads:

skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|edd_items_in_cart

You may need to do the same for those 2 woocommerce cookies.