If the role cookie expires before a session cookie expires and caching is varied on role, the following situation could happen:

Assumptions:
- Session cookie lifetime set to greater than 1 day
- The page is varied on the role cookie

1. User A logs in with the "Special user role"
2. After 1 day (default esi_seed_key_rotation_interval) User A's role cookie expires
3. User B, who is anonymous (and doesn't have a role cookie), visits a page and the anonymous version is cached
4. User A, visits that page. Because he has no role cookie, the cache assumes he is anonymous and serves the cached anonymous version

Because of this, the role cookie should always be saved at least as long as the session cookie. Patch attached.

Files: 
CommentFileSizeAuthor
esi-role-cookie-lifetime.patch702 bytesandrewlevine

Comments

Version:6.x-1.0-beta1» 6.x-2.x-dev
Status:Needs review» Fixed

This has been fixed in the 2.x branch. If I am mistaken please re-open.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.