Merge branch '6.4' into 7.1

javiereguiluz · javiereguiluz · commit 782014499b0d · 2025-01-02T13:27:42.000+01:00
* 6.4:
  Minor tweaks
  Add info for essential cookies (such as REMEMBERME)
diff --git a/http_cache/varnish.rst b/http_cache/varnish.rst
@@ -67,24 +67,29 @@ at least for some parts of the site, e.g. when using forms with
 and clear the session when it is no longer needed. Alternatively, you can look
 into :ref:`caching pages that contain CSRF protected forms <caching-pages-that-contain-csrf-protected-forms>`.
 
-Cookies created in JavaScript and used only in the frontend, e.g. when using
-Google Analytics, are nonetheless sent to the server. These cookies are not
-relevant for the backend and should not affect the caching decision. Configure
-your Varnish cache to `clean the cookies header`_. You want to keep the
-session cookie, if there is one, and get rid of all other cookies so that pages
-are cached if there is no active session. Unless you changed the default
-configuration of PHP, your session cookie has the name ``PHPSESSID``:
+Cookies created in JavaScript and used only on the frontend, such as those from
+Google Analytics, are still sent to the server. These cookies are not relevant
+for backend processing and should not influence the caching logic. To ensure
+this, configure your Varnish cache to `clean the cookies header`_ by retaining
+only essential cookies (e.g., session cookies) and removing all others. This
+allows pages to be cached when there is no active session.
+
+If you are using PHP with its default configuration, the session cookie is
+typically named ``PHPSESSID``. Additionally, if your application depends on other
+critical cookies, such as a ``REMEMBERME`` cookie for :doc:`remember me </security/remember_me>`
+functionality or a trusted device cookie for two-factor authentication, these
+cookies should also be preserved.
 
 .. configuration-block::
 
     .. code-block:: varnish4
 
         sub vcl_recv {
-            // Remove all cookies except the session ID.
+            // Remove all cookies except for essential ones.
             if (req.http.Cookie) {
                 set req.http.Cookie = ";" + req.http.Cookie;
                 set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
-                set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
+                set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID|REMEMBERME)=", "; \1=");
                 set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
                 set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
 
@@ -98,11 +103,11 @@ configuration of PHP, your session cookie has the name ``PHPSESSID``:
     .. code-block:: varnish3
 
         sub vcl_recv {
-            // Remove all cookies except the session ID.
+            // Remove all cookies except for essential ones.
             if (req.http.Cookie) {
                 set req.http.Cookie = ";" + req.http.Cookie;
                 set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
-                set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID)=", "; \1=");
+                set req.http.Cookie = regsuball(req.http.Cookie, ";(PHPSESSID|REMEMBERME)=", "; \1=");
                 set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
                 set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
 
