Bypass cache if PHPSESSID exists
Christos Chatzaras
chris at cretaforce.gr
Thu May 9 17:11:26 UTC 2024
Hello,
I want to bypass cache if PHPSESSID exists.
I have this configuration:
http {
fastcgi_cache_path /tmpfs/cache levels=1:2 keys_zone=fastcgicache:10m inactive=10m max_size=1024m;
fastcgi_cache_key $device_type$scheme$request_method$host$request_uri;
fastcgi_cache_min_uses 1;
fastcgi_cache fastcgicache;
fastcgi_cache_valid 200 301 10s;
fastcgi_cache_valid 302 1m;
fastcgi_cache_valid 404 5m;
fastcgi_cache_lock on;
fastcgi_cache_lock_timeout 8000;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_no_cache $no_cache;
fastcgi_cache_bypass $no_cache;
}
server {
location ~ [^/]\.php(/|$) {
set $no_cache "";
if ($request_method = POST) {
set $no_cache "1";
}
if ($http_cookie ~* "_mcnc|PHPSESSID") {
set $no_cache "1";
}
if ($no_cache = "1") {
add_header Set-Cookie "_mcnc=1; Max-Age=31536000; Path=/";
}
}
}
When I repeatedly run curl, the content is fetched from the cache, and the Set-Cookie header always contains "PHPSESSID=604e406c1c7a6ae061bf6ce3806d5eee", leading to session leakage:
curl -I https://example.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 May 2024 16:37:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=604e406c1c7a6ae061bf6ce3806d5eee; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Cache: HIT
Any idea what's wrong with my configuration?
Kind regards,
Christos Chatzaras
More information about the nginx
mailing list