1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lack of Interest Avoid creating sessions for guest users/robots

Discussion in 'Closed Suggestions' started by Ketola, Sep 17, 2013.

  1. Ketola

    Ketola Member

    I'm trying to optimize the way XenForo is delivered for guest users. I don't see any use for storing session cookies for users that have not logged in, so I'm looking for an option to disable setting xf_session on pages where sessions are not needed. This would make caching Xenforo using, for example, Varnish a lot more simple.

    Currently the only solution (without touching code, that is) is to just drop the Set-Cookie header for xf_session on all other page loads besides /(login|logout), but that causes extra sessions to be created on every backend hit, and it causes an error when posting the login form as the session cookie is not set ("Cookies are required to log in to this site. You will not be able to login until they are accepted.").

    At least IGN forums (running XenForo) are currently running on a cookieless setup, but I'm unaware of the way they have implemented it (they use their own login system which sets xf_session cookie when you visit ign.com/boards/ after logging in via s.ign.com first).

    I suggest an option to disable the creation of new sessions for guest users / robots.

    Alternatively I suggest setting xf_user cookie for all users that login, and just define the xf_user cookie as a session cookie if the "Stay logged in" isn't checked.

    • Makes caching content on a proxy server a lot easier
    • Reduces HTTP query size
    • Possibly reduces server load even without a caching reverse proxy by eliminating the need for carrying unique sessions for guest users
    • Unknown
    Marcus and AndyB like this.
  2. AndyB

    AndyB Well-Known Member

    On my forum I have eliminated the Remember Me box and force all members to use cookies, it would be great to have this be an option in the Admin CP.

    I'm in favor of having an option to eliminate sessions for guest users and robots.
  3. Ketola

    Ketola Member

    I tried going this route as well, but if I drop all Cookie headers from requests and Set-Cookie headers from responses, unless either includes xf_user, I run into the "Cookies are required to log in to this site. You will not be able to login until they are accepted" problem when logging in. Did you find a way of eliminating the sessions?
  4. AndyB

    AndyB Well-Known Member

    Eliminating the Remember Me checkbox is an easy template edit. But this only pertains to members who log in.

    Nope. That would be difficult to do.
  5. Ketola

    Ketola Member

    Indeed. But that doesn't solve the problem of /login/login page requiring the session cookie to exist when logging in, which makes it impossible to drop the xf_session cookie altogether for guests.

    In short what I have tried (in Varnish VCL) is:

    sub vcl_recv {
      if(req.http.Cookie) {
        # Care only about xf_ cookies
        # Cookie should only be set for user that have logged in so it can be dropped
        if (req.http.Cookie !~ "(xf_user|xf_session)") {
          remove req.http.Cookie;
    sub vcl_fetch {
      # If the backend is trying to send an Set-Cookie header for xf_session or xf_user
      # drop it unless the the request URL is for a login/logout page or admin
      if( beresp.http.Set-Cookie ~ "(xf_session|xf_user)" && req.url !~ "/(login|logout|admin\.php)" ) {
        # Debug: show the header that has been dropped
        set beresp.http.X-Cookie-Removed = "Removed " + beresp.http.Set-Cookie;
        # Drop Set-Cookie header
        unset beresp.http.Set-Cookie;
        # Force 10min TTL for object
        set beresp.ttl = 10m;
        # Set Cache-Control public to allow Varnish to cache object
        set beresp.http.Cache-Control = "public, max-age=0";
    That works fine as long as the user visits http://myforum/login/ first before logging in. Trying to login via the top loginBar throws the XenForo_Phrase('cookies_required_to_log_in_to_site') error.
  6. AndyB

    AndyB Well-Known Member

    If you comment out this portion of the Login.php file:

        if ($data['cookie_check'] && count($_COOKIE) == 0)
    // login came from a page, so we should at least have a session cookie.
           // if we don't, assume that cookies are disabled
    return $this->_loginErrorResponse(
    You can login without the xf_session cookie.
    Weppa333, Marcus and Ketola like this.
  7. Ketola

    Ketola Member

    Thanks! I almost tried that earlier today, but thought that most likely it'll just fail to associate the xf_session with the userid.

    I'll give it a shot and report my findings.
    Marcus likes this.
  8. Adam Howard

    Adam Howard Well-Known Member

    I have that box checked by default and hidden so people can not uncheck it.

    We end up having people getting logged out easily otherwise.
  9. Ketola

    Ketola Member

    I did this by first commenting out (or removing) the following line from login_bar_form template
    <label for="ctrl_remember" class="rememberPassword"><input type="checkbox" name="remember" value="1" id="ctrl_remember" tabindex="103" /> {xen:phrase stay_logged_in}</label>
    and then adding to the end of the same template within other hidden input fields
    <input type="hidden" name="remember" value="1" />
    Weppa333 and Marcus like this.

Share This Page