Welcome! Log In Create A New Profile


Bypass cache if PHPSESSID exists

May 09, 2024 01:12PM

I want to bypass cache if PHPSESSID exists.

I have this configuration:

http {
fastcgi_cache_path /tmpfs/cache levels=1:2 keys_zone=fastcgicache:10m inactive=10m max_size=1024m;
fastcgi_cache_key $device_type$scheme$request_method$host$request_uri;
fastcgi_cache_min_uses 1;
fastcgi_cache fastcgicache;
fastcgi_cache_valid 200 301 10s;
fastcgi_cache_valid 302 1m;
fastcgi_cache_valid 404 5m;
fastcgi_cache_lock on;
fastcgi_cache_lock_timeout 8000;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_no_cache $no_cache;
fastcgi_cache_bypass $no_cache;

server {

location ~ [^/]\.php(/|$) {

set $no_cache "";

if ($request_method = POST) {
set $no_cache "1";

if ($http_cookie ~* "_mcnc|PHPSESSID") {
set $no_cache "1";

if ($no_cache = "1") {
add_header Set-Cookie "_mcnc=1; Max-Age=31536000; Path=/";

When I repeatedly run curl, the content is fetched from the cache, and the Set-Cookie header always contains "PHPSESSID=604e406c1c7a6ae061bf6ce3806d5eee", leading to session leakage:

curl -I https://example.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 09 May 2024 16:37:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=604e406c1c7a6ae061bf6ce3806d5eee; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Cache: HIT

Any idea what's wrong with my configuration?

Kind regards,
Christos Chatzaras
nginx mailing list
Subject Author Posted

Bypass cache if PHPSESSID exists

CyberCr33p May 09, 2024 01:12PM

Re: Bypass cache if PHPSESSID exists

Kirill A. Korinsky May 09, 2024 02:06PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 124
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready