5

I am writing a web application framework. To properly support reverse proxy servers, I want to make sure that whenever the web application is accessing cookie data, pages that are sent to the user are cached only for that user. As far as I know, there are two ways of achieving this:

header('Vary: Cookie');

or

header('Cache-Control: private');

The immediate benefit of using Vary: Cookie is that a reverse proxy server will cache non-authenticated requests. However, we're using Google Analytics which create cookies through javascript - so I am afraid the Vary: Cookie method is unusable?

frodeborli
  • 1,537
  • 1
  • 21
  • 30

2 Answers2

0

For your case (using Google Analytics), this will not work as GA sets first-party cookies for ".yourdomain.tld"

As of now, I'm seeing the following first party cookies set by Google Analytics:

_gat_gtag_UA_#####_# 
_ga 
_gid
Luke Rehmann
  • 514
  • 5
  • 12
-1

Cookies set by a script served by a given domain will only be sent to that domain.

The proxy will not receive the cookies set by google analytics.

Jérémy Lal
  • 66
  • 4
  • 4
    Google Analytics does however set cookies on the domain itself (first party cookie), not on googles domain. This is the principle of how it works. – simbolo Mar 19 '19 at 16:51