You have to filter back cookies on images' way to your client:
sub vcl_fetch {
// ... Line .82 in your pastebin
if (req.url ~ "\.(png|gif|jpg|jpeg|js|css|ico|pdf)$") {
unset beresp.http.set-cookie;
}
// ...
}
Right now this is what's happenning (with an empty browser cache for the image cache):
- Request comes to Varnish, Varnish removes the cookie.
- Varnish pass the request to the backend without cookie.
- Backend full-fills the request and provide a Set-Cookie headder (as it comes to it without any cookie) with a new value.
- Varnish can't cache the object since it has a Set-Cookie headder (line 102 on your pastebin).
- Varnish passes the image along with the new cookie to your browser.
- Your browser overwrites your PHPSESSID cookie conforming the Set-Cookie header received.