Cookies and Varnish

Any response with a session cookie in the Cookie header is not stored in the Varnish cache. If any part of the cookie matches the regular expression S?SESS[a-zA-Z0-9]*, NO_CACHE, or PERSISTENT_LOGIN_*, the response bypasses the cache.

In all requests for static assets, all cookie headers, including session cookies, are stripped and most responses are stored in the Varnish cache. For more information on exceptions to cache storage, see Stripping cookies from static files.

The full cookie header is sent to your application unaltered by the Varnish cache.

If your application creates different cacheable content dependent on cookie values, you can instruct the Varnish cache to store and return different objects by utilizing the Vary response header.

Ensure that you are careful while setting cookies with Vary. The Acquia Cloud Varnish implementation can extract and manipulate such cookies. Acquia Cloud Varnish ignores all cookies except those named acquia_a, acquia_b, acquia_c, and the one response cookie prefixed with acquia_extract.

Example two: Passing Acquia-provided cookies

Acquia provides the following generic cookies that can be customized with any value useful to your application. The advantage is that these request cookies are converted to headers and therefore, the Varnish cache can be varied on them.

Cookie Header value
Cookie: acquia_a=blue; X-Acquia-Cookie-A: blue
Cookie: acquia_b=green; X-Acquia-Cookie-B: green
Cookie: acquia_c=red; X-Acquia-Cookie-C: red

Consider a request that comes to Acquia Cloud Platform with the following cookie header:

Cookie: specific_thing=anything;clicked_banner=0;acquia_a=blue;acquia_b=green;acquia_extract:WEBSHOP_CART_ID=1234;category=shirts;

For the preceding request, the system expands the request headers and sends the following to your application:

X-Acquia-Cookie-Key: WEBSHOP_CART_ID
X-Acquia-Cookie-Value: 1234
X-Acquia-Cookie-A: blue
X-Acquia-Cookie-B: green
Cookie: specific_thing=anything;clicked_banner=0;acquia_a=blue;acquia_b=green;WEBSHOP_CART_ID=1234;category=shirts;

Note that the acquia_extract: is removed from the cookie header value. Your application can decide what to respond with by inspecting the X-Acquia-Cookie-* headers, including the Vary: X-Acquia-Cookie-A option.

Therefore, Acquia Cloud Platform enables you to vary cached content based on some specific cookie values.


The more you vary your cache, the more cache space you consume. Therefore, you should avoid caching based on unpredictable cookie values, such as identifiers, timestamps, or other random data. Acquia recommends less than ten different variations for each URL.

Session cookies invalidate Varnish caching

Content containing Drupal session cookies are never cached, as they contain personalized information that should not be displayed to other users.


For a list of several common Drupal modules that set Drupal session cookies (which invalidates Varnish caching), see Modules and applications incompatible with Cloud Platform.

Reference material

The length of time that a cacheable object is stored in the Varnish cache is determined by the cache control headers, such as Cache-Control and Cache-Control: s-maxage. For more information on controlling cache lifetime, read the following articles: