Create cookie naming standards

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
rwohleb's picture

There are a handful of modules that set extra cookies to accomplish various things outside of the session. Some of them are used only on the client side and the server never needs to see them. Some of them are actually used on the server side. See:
https://wiki.fourkitchens.com/display/PF/Modules+that+break+caching,+and...

If you are running something like Varnish you can't tell which need to be seen by the server and which don't. We generally strip all client side only cookies to increase odds of cacheing. What I'm proposing is that we define a set cookie name prefix for client side only cookies, and possibly one for regular cookies. If contrib authors tried to stick to the prefixes then it would mean a lot less customization of the defacto Varnish VCL that everyone uses. For example, the defacto VCL alreasy uses the regex "__[a-z]+" for Google Analytics.

It could be as simple as stating that all client side only cookies should have a prefix of "__". Thoughts?

Comments

nwohleb:I think the naming

Mark Theunissen's picture

nwohleb:

I think the naming convention is a good idea.

I also want to point out though, that we (Four Kitchens) now recommend using a cookie whitelist approach instead of the old method that you reference above. So in the VCL configuration, you strip all cookies and allow through only those that are explicitly named. This works well - if a required cookie is being removed you'll soon find that your application breaks.

The VCL for Drupal 7 and Varnish 3 can be found here: https://fourkitchens.atlassian.net/wiki/display/TECH/Configure+Varnish+f...

I agree with the whitelist

rwohleb's picture

I agree with the whitelist approach. I'm still stuck on D6 and haven't had the chance to look into switching to a whitelist. Once of the reasons I was thinking about this was managed hosting systems like Acquia and Pantheon. I believe that Acquia is still using the blacklist approach, though this might have changed.