I realize that this is an old thread but it relates to my question. I use proxy_cache with a somewhat special approach.
User can log in to our site that has been designed to be completely reverse proxy cacheable, even when a user is logged in. We use a separate json call to retrieve session information for the user.

So some pages like /product/* are cacheable but they may still be retrieved by a logged in user. I want to make sure that the set cookie doesn't get accidently get cached and allow another user to access my session. Just this kind of thing seemed to happen the other day when an anonymous user was suddenly logged in under my account, so now I'm not sure how to see it. I am hoping that this was an issue related to a stale proxy_cache that accumulated "illegal" content over the course of development and changes in configuration.

The desired functionality is;
Anonymous useer
* request cacheablepage1.html
* retrieve from cache if available => cachefile01
* put in cache
Logged in user
* request cacheablepage1.html
* retrieve from cache => cachefile01
* request cacheablepage2.html
* retrieve from cache if availabel
* put in cache but strip any set-cookie associated with the session => cachefile02
* get cachefile02
Anonymous user
* request cacheablepage2.html
* retrieve from cache if available => cachefile02
Any result from a POST
* never put in proxy cache

My current config for this is
[code]
server {
listen 80 default_server;
server_name _;
server_name_in_redirect off;
charset utf-8;
root /var/lib/APP;
add_header Cache-Control public;

set $proxy_bypass off;

[..]

location ~ (cart|account|editor|admin)$ {
set $proxy_bypass on;
try_files $uri @proxy;
}
location / {
keepalive_timeout 30;
rewrite ^([^.]*[^/])$ $1/ permanent;
try_files $uri @proxy;
}
location @proxy {
proxy_cache STATIC;
proxy_pass http://localhost:9000;
proxy_cache_valid 200 15m;
proxy_cache_valid 404 5m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_cache_key $host$request_uri;
proxy_ignore_headers Set-Cookie;
proxy_cache_bypass $proxy_bypass;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
#proxy_max_temp_file_size 0;
proxy_buffering on;
#proxy_store off;

proxy_connect_timeout 30;
proxy_send_timeout 30;
proxy_read_timeout 30;

# All POST requests go directly
if ($request_method = POST) {
proxy_pass http://localhost:9000;
break;
}
}
[/code]


Are my assumptions correct? What directes are important to pay attention to in order to avoid accidental session access for the wrong user?

Kind regards,

Marc