Lack of interest Avoid creating sessions for guest users/robots

[Ketola]

I'm trying to optimize the way XenForo is delivered for guest users. I don't see any use for storing session cookies for users that have not logged in, so I'm looking for an option to disable setting xf_session on pages where sessions are not needed. This would make caching Xenforo using, for example, Varnish a lot more simple.

Currently the only solution (without touching code, that is) is to just drop the Set-Cookie header for xf_session on all other page loads besides /(login|logout), but that causes extra sessions to be created on every backend hit, and it causes an error when posting the login form as the session cookie is not set ("Cookies are required to log in to this site. You will not be able to login until they are accepted.").

At least IGN forums (running XenForo) are currently running on a cookieless setup, but I'm unaware of the way they have implemented it (they use their own login system which sets xf_session cookie when you visit ign.com/boards/ after logging in via s.ign.com first).

I suggest an option to disable the creation of new sessions for guest users / robots.

Alternatively I suggest setting xf_user cookie for all users that login, and just define the xf_user cookie as a session cookie if the "Stay logged in" isn't checked.

Pros:

• Makes caching content on a proxy server a lot easier
• Reduces HTTP query size
• Possibly reduces server load even without a caching reverse proxy by eliminating the need for carrying unique sessions for guest users

Cons:

• Unknown

 

[AndyB]

On my forum I have eliminated the Remember Me box and force all members to use cookies, it would be great to have this be an option in the Admin CP.

I'm in favor of having an option to eliminate sessions for guest users and robots.

 

[Ketola]

On my forum I have eliminated the Remember Me box and force all members to use cookies, it would be great to have this be an option in the Admin CP.

I tried going this route as well, but if I drop all Cookie headers from requests and Set-Cookie headers from responses, unless either includes xf_user, I run into the "Cookies are required to log in to this site. You will not be able to login until they are accepted" problem when logging in. Did you find a way of eliminating the sessions?

 

[AndyB]

I tried going this route as well, but if I drop all Cookie headers from requests and Set-Cookie headers from responses, unless either includes xf_user, I run into the "Cookies are required to log in to this site. You will not be able to login until they are accepted" problem when logging in.

Eliminating the Remember Me checkbox is an easy template edit. But this only pertains to members who log in.

Did you find a way of eliminating the sessions?

Nope. That would be difficult to do.

 

[Ketola]

Eliminating the Remember Me checkbox is an easy template edit. But this only pertains to members who log in.

Indeed. But that doesn't solve the problem of /login/login page requiring the session cookie to exist when logging in, which makes it impossible to drop the xf_session cookie altogether for guests.

In short what I have tried (in Varnish VCL) is:

sub vcl_recv {
  if(req.http.Cookie) {
    # Care only about xf_ cookies
    # Cookie should only be set for user that have logged in so it can be dropped
    if (req.http.Cookie !~ "(xf_user|xf_session)") {
      remove req.http.Cookie;
    }
  }
}

sub vcl_fetch {
  # If the backend is trying to send an Set-Cookie header for xf_session or xf_user
  # drop it unless the the request URL is for a login/logout page or admin
  if( beresp.http.Set-Cookie ~ "(xf_session|xf_user)" && req.url !~ "/(login|logout|admin\.php)" ) {
    # Debug: show the header that has been dropped
    set beresp.http.X-Cookie-Removed = "Removed " + beresp.http.Set-Cookie;
    # Drop Set-Cookie header
    unset beresp.http.Set-Cookie;
    # Force 10min TTL for object
    set beresp.ttl = 10m;
    # Set Cache-Control public to allow Varnish to cache object
    set beresp.http.Cache-Control = "public, max-age=0";
  }
}

That works fine as long as the user visits http://myforum/login/ first before logging in. Trying to login via the top loginBar throws the XenForo_Phrase('cookies_required_to_log_in_to_site') error.

 

[AndyB]

Indeed. But that doesn't solve the problem of /login/login page requiring the session cookie to exist when logging in, which makes it impossible to drop the xf_session cookie altogether for guests.

If you comment out this portion of the Login.php file:

    if ($data['cookie_check'] && count($_COOKIE) == 0)
     {
       // login came from a page, so we should at least have a session cookie.
       // if we don't, assume that cookies are disabled
       return $this->_loginErrorResponse(
         new XenForo_Phrase('cookies_required_to_log_in_to_site'),
         $data['login'],
         true,
         $redirect
       );
     }

You can login without the xf_session cookie.

 

[Ketola]

Thanks! I almost tried that earlier today, but thought that most likely it'll just fail to associate the xf_session with the userid.

I'll give it a shot and report my findings.

 

[Adam Howard]

On my forum I have eliminated the Remember Me box and force all members to use cookies, it would be great to have this be an option in the Admin CP.

I'm in favor of having an option to eliminate sessions for guest users and robots.

I have that box checked by default and hidden so people can not uncheck it.

We end up having people getting logged out easily otherwise.

 

[Ketola]

I have that box checked by default and hidden so people can not uncheck it.

We end up having people getting logged out easily otherwise.

I did this by first commenting out (or removing) the following line from login_bar_form template

<label for="ctrl_remember" class="rememberPassword"><input type="checkbox" name="remember" value="1" id="ctrl_remember" tabindex="103" /> {xen:phrase stay_logged_in}</label>

and then adding to the end of the same template within other hidden input fields

<input type="hidden" name="remember" value="1" />