Bypass cache if PHPSESSID exists

[Maxim Dounin]

Hello!

On Thu, May 09, 2024 at 08:11:26PM +0300, Christos Chatzaras wrote:

> Hello,
> 
> I want to bypass cache if PHPSESSID exists.
> 
> I have this configuration:
> 
> http {
> 	fastcgi_cache_path /tmpfs/cache levels=1:2 keys_zone=fastcgicache:10m inactive=10m max_size=1024m;
> 	fastcgi_cache_key $device_type$scheme$request_method$host$request_uri;
> 	fastcgi_cache_min_uses 1;
> 	fastcgi_cache fastcgicache;
> 	fastcgi_cache_valid 200 301 10s;
> 	fastcgi_cache_valid 302 1m;
> 	fastcgi_cache_valid 404 5m;
> 	fastcgi_cache_lock on;
> 	fastcgi_cache_lock_timeout 8000;
> 	fastcgi_pass_header Set-Cookie;
> 	fastcgi_pass_header Cookie;
> 	fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

Note that you ignore Set-Cookie here, so responses with the 
Set-Cookie response headers from the upstream server are expected 
to be cached.

> 	fastcgi_no_cache $no_cache;
> 	fastcgi_cache_bypass $no_cache;

[...]

> 		if ($http_cookie ~* "_mcnc|PHPSESSID") {
> 			set $no_cache "1";
> 		}

And the $no_cache variable is set based on the Cookie request 
header, not the upstream server response headers.

[...]

> When I repeatedly run curl, the content is fetched from the 
> cache, and the Set-Cookie header always contains 
> "PHPSESSID=604e406c1c7a6ae061bf6ce3806d5eee", leading to session 
> leakage:
> 
> curl -I https://example.com
> HTTP/1.1 200 OK
> Server: nginx
> Date: Thu, 09 May 2024 16:37:15 GMT
> Content-Type: text/html; charset=UTF-8
> Connection: keep-alive
> Vary: Accept-Encoding
> Set-Cookie: PHPSESSID=604e406c1c7a6ae061bf6ce3806d5eee; path=/
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate
> Pragma: no-cache
> X-Cache: HIT
> 
> Any idea what's wrong with my configuration?

Your configuration explicitly permits caching of such responses 
due to the "fastcgi_ignore_headers" directive you use.  Consider 
removing it.

-- 
Maxim Dounin
http://mdounin.ru/