This checks to see if the user has a cookie named one of those (each |
is the regex OR operator, so it can match any one of those). If there is a cookie with that name, then we hash the value of the cookie so that user gets their own cache. This is achieved using the hash_data
function which adds the parameter to the cache key for the request (so you're adding the contents of req.http.Cookie
to the cache key).
The reason for this is so logged in users don't see a cached version of the page from a logged out user.
This is pretty secure, although I personally wouldn't do this as it does open up some problems (e.g. a user logs out and invalidates their session, but an attacker could see the cached pages from say their profile page by replicating the request headers).
A better option is to simply not cache those pages (100% safe). You could put that in the vcl_recv
function:
sub vcl_recv {
if (req.http.Cookie ~ "wp-postpass_|wordpress_logged_in_|comment_author|PHPSESSID") {
return (pass);
}
}