magento2 - user logged in as another user, when FPC set to varnish

Magento 2.4.7-p4
Varnish 7.5
PHP 8.3

We are running Magento 2.4.7-p4 with Varnish 7.5 as the Full Page Cache (FPC) and PHP 8.3. The Varnish configuration has been set up following Magento's recommended guidelines. However, we are facing a critical issue where some users report being suddenly logged in as another user, gaining access to My Account, and being able to edit sensitive information like addresses.

When we switch back to Magento’s built-in cache, the issue disappears.

sub vcl_recv {
    
        ....
    

        if (req.url ~ "^/rest/" || req.url ~ "/customer" || req.url ~ "/account" || req.url ~ "/checkout" || req.url ~ "/catalogsearch" || req.url ~ "/health_check.php" || req.url ~ "/sitemap*.xml" || req.url ~ "/sitemap" || req.url ~ "/feeds" || req.url ~ "\.xml$" || req.url ~ "^/swagger/") {
          
            return (pass);
        }
        
        if (req.http.Cookie) {
            if (req.http.Cookie ~ "(PHPSESSID)" || req.url ~ "(account|admin|cart|checkout|customer)") {
                return (pass);
            }
        }
    ...
}
sub vcl_backend_response {

   ....

    if (beresp.status == 200 || beresp.status == 404) {
        return (deliver);
    } elsif (beresp.http.Cache-Control ~ "private") {
        set beresp.uncacheable = true;
        set beresp.ttl = 0s;
        return (deliver);
    }

   ....

}

Programmer puzzle solving

magento2 - user logged in as another user, when FPC set to varnish - Stack Overflow

Articles related to this article

comment list (0)