Appointments+: Cache-busting PHP session cookies

Per this ticket, I have been forced to configure our Varnish cache to remove PHP session cookies for users who are not logged in, or no content page will get cached.

For M2P (the subject of that ticket), this is probably not a problem because the only time M2P matters (in our use case) is when the user is logged in.

However, on one specific site, we also use Appointments+ specifically for users who are not logged in.

Would the dev for Appointments+ please comment on the impact of disabling PHP session cookies on Appointments+?

  • Milan

    Dear @David King,

    I hope you are having good day.

    As you need feedback about what will happen if you disable PHP session cookies on Appointments+ I 've flagged developer for feedback.

    Please wait till developer reply on this thread.This will take slightly more time than usual support staff reply.

    Please let us know if there is anything else we can help you with.

    Milan Savaliya
    Support Staff( WPMUDEV )

  • David King

    Hrm. Thanks for that. Sounds like we might just get away with it, then, because the site that uses it doesn't require logins to book appointments. As long as they can do that (and pay) then that's all that really matters.

    I don't know if you read through that other thread, so I have to ask: are you aware of the effect of PHP session cookies on caches like Varnish?

    I suppose one could nuke the session cookies except on the Appointments URLs...

  • Hoang Ngo

    Hi, @David King,

    I hope you are well today.

    If we cache PHP Session ID with Varnish, it can hand the SESSION ID to other users, which will cause they to see others' information, appointments, etc., which only belong to a current user.

    I suppose one could nuke the session cookies except on the Appointments URLs...

    I think you can try. However, please note that, if any plugins use cookies to storing runtime data might get issue with that.

    Best regards,

  • David King

    I think you've half misunderstood what I meant;

    The WPMUdev plugin Membership 2 Pro (see linked ticket in OP) unconditionally sets PHP session cookies, even though it only needs them if the user is logged in (according to the developer). Consequently, and because we have this plugin network activated, no page anywhere on the network can be cached.

    So I adapted our Varnish VCL to drop session cookies if the user is not logged in. This is okay for the most part but, as you say, it has the potential to interfere with other plugins — including Appointments+. I have asked for the dev to fix this, but I haven't had a response back as to whether he will or not.

    So I shall have to adapt the VCL again to leave the cookies in place on requests to Appointments+ pages. That's not such of a problem, but it is a nuisance.

    However, your point about the risk of caching a user's appointment is well made (even if I'm unsure how the appointment could be made in the first place if every request generates a new session ID).

    I hope Philipp fixes M2P properly so my Varnish hack will no longer be necessary. It is nearly impossible to be sure whether a given plugin uses sessions or not, and it is overly burdensome anyway — especially when the solution should be a fairly simple fix of wrapping the session_start() call in an is_user_logged_in() conditional.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.