• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.4 Does XF still uses xf_user cookie?

Nuno

Active member
#1
Hello,

I'm trying to configure nginx to cache pages for guest and in my readings I found a reference to xf_user cookie, but I don't see it in my headers, both as a guest or as a member.

Where does Xf stores login session? How can I identify guests/members by they cookies?

Thanks
 

Mike

XenForo developer
Staff member
#2
You can't truly identify a guest vs member via cookie. It's only stored in a session.

The presence of the user cookie would tell you they're not a guest (but the lack of it doesn't tell you they're a guest).
 

Nuno

Active member
#3
Thank Mike,

Would be nice tho have a way to identify guests/members with a cookie, this way we would easily map a variable in nginx to cache guests pages :)
 

RastaLulz

Well-known member
#4
That's unfortunate, was hoping to use that to detect if a page should be cached or not with Varnish. I guess it's back to the drawing board.
 

Nuno

Active member
#6
Thanks RoldanLT

Forcing stay connected is dangerous when the user shares his device with others, but will do.
 
Last edited:

RastaLulz

Well-known member
#8
You can use this addon: https://xenforo.com/community/resources/remove-stay-logged-in.2444/
Or do it manually on templates.

Then you can now identify guest vs login user ;).
I have this implementation for more than a year now with nginx fastcgi_cache.
While this does the job, after playing around with it a little, I noticed a user can delete the "xf_user" cookie (be it malicious or not) and still remain logged in, caching pages with their information.

Therefore, I went ahead and created an add-on (Logged In Cookie) that would be better suited for this use case (caching), by creating a "xf_logged_in" cookie, that will display the page as a guest if not present to avoid what I mentioned above. It also gives users the added benefit of being able to chose if they want to stay logged in or not.
 

RoldanLT

Well-known member
#9
Therefore, I went ahead and created an add-on (Logged In Cookie) that would be better suited for this use case (caching), by creating a "xf_logged_in" cookie, that will display the page as a guest if not present to avoid what I mentioned above. It also gives users the added benefit of being able to chose if they want to stay logged in or not.
Very impressive!
Thanks a lot (y)
 

Nuno

Active member
#10
While this does the job, after playing around with it a little, I noticed a user can delete the "xf_user" cookie (be it malicious or not) and still remain logged in, caching pages with their information.

Therefore, I went ahead and created an add-on (Logged In Cookie) that would be better suited for this use case (caching), by creating a "xf_logged_in" cookie, that will display the page as a guest if not present to avoid what I mentioned above. It also gives users the added benefit of being able to chose if they want to stay logged in or not.
Thanks @RastaLulz