PHPackages                             creativestyle/magesuite-vary-cookie-signer - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. creativestyle/magesuite-vary-cookie-signer

ActiveMagento2-module

creativestyle/magesuite-vary-cookie-signer
==========================================

X-Magento-Vary Cookie Signer

v2.0.3(1y ago)018OSL-3.0PHP

Since Mar 29Pushed 1y ago4 watchersCompare

[ Source](https://github.com/magesuite/vary-cookie-signer)[ Packagist](https://packagist.org/packages/creativestyle/magesuite-vary-cookie-signer)[ Docs](https://creativestyle.de)[ RSS](/packages/creativestyle-magesuite-vary-cookie-signer/feed)WikiDiscussions 1.x Synced yesterday

READMEChangelogDependencies (1)Versions (8)Used By (0)

Motivation
----------

[](#motivation)

Magento uses special cookie called `X-Magento-Vary` to distinguish between different variants of some pages (eg. PDP page for customers with special discount).

When varnish server is used this is handled by adding content of `X-Magento-Vary` cookie to hash key.

This can be abused to bypass varnish page cache and generate high load on php server by generating random value for every request.

This extension provide a way to verify valid cookie on varnish server by providing extra cookie called `X-Magento-Vary-Sign` containing sha1 hash of `X-Magento-Vary` cookie content and signing key (which should be random value). Without knowing secret, attacker isn't able to generate correctly signed cookie and we can verify it on varnish server and ignore incorrect values, therefore reuse cached page.

Magento configuration
---------------------

[](#magento-configuration)

Edit the /app/etc/env.php file to configure the signing key.

```
...
     'vary_cookie_sign' => [
            'key' => 'REPLACE_THIS_WITH_SIGNING_KEY'
     ]
...

```

Varnish configuration
---------------------

[](#varnish-configuration)

You need to install [uplex vmod\_blobdigest](https://code.uplex.de/uplex-varnish/libvmod-blobdigest) also available as RPM in [mageops repository](https://mageops.github.io/packages-rpm/).

Make sure you have those imports at the beginning of your VCL:

```
import blobdigest;
import cookie;
import blob;

```

Add to `sub vcl_init`

```
new sha1 =  blobdigest.digest(SHA1);

```

Add to `sub vcl_recv`

```
if (req.http.cookie ~ "X-Magento-Vary=") {
    cookie.parse(req.http.cookie);
    if(! sha1.update( blob.decode( encoded=cookie.get("X-Magento-Vary") + "REPLACE_THIS_WITH_SIGNING_KEY" ) ) ) {
         return (synth(500, "Internal Server Error"));
    }

    if ( blob.encode( encoding=HEX, case=LOWER, blob=sha1.final() ) != cookie.get("X-Magento-Vary-Sign") ) {
         cookie.delete("X-Magento-Vary");
         set req.http.cookie = cookie.get_string();
    }
}

```

NOTE: First if statement can only fail when `update` is called after `finish`, but this is not possible, however VCL do not allow calling object methods, therefore this function mainly as workaround to this limitation.

Do not forget to replace `REPLACE_THIS_WITH_SIGNING_KEY` with your unique random string, and make sure you use the same value in varnish and magento.

###  Health Score

31

—

LowBetter than 68% of packages

Maintenance41

Moderate activity, may be stable

Popularity6

Limited adoption so far

Community14

Small or concentrated contributor base

Maturity57

Maturing project, gaining track record

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~204 days

Recently: every ~164 days

Total

8

Last Release

441d ago

Major Versions

v1.0.1 → v2.0.02023-02-02

1.x-dev → 2.x-dev2025-02-25

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/6814811?v=4)[creativestyle](/maintainers/creativestyle)[@creativestyle](https://github.com/creativestyle)

---

Top Contributors

[![piotrmatras](https://avatars.githubusercontent.com/u/11822697?v=4)](https://github.com/piotrmatras "piotrmatras (4 commits)")[![Leone](https://avatars.githubusercontent.com/u/619464?v=4)](https://github.com/Leone "Leone (2 commits)")[![msiewierska](https://avatars.githubusercontent.com/u/73164807?v=4)](https://github.com/msiewierska "msiewierska (2 commits)")[![diwipl](https://avatars.githubusercontent.com/u/3406741?v=4)](https://github.com/diwipl "diwipl (1 commits)")[![pinkeen](https://avatars.githubusercontent.com/u/2019132?v=4)](https://github.com/pinkeen "pinkeen (1 commits)")[![Szpadel](https://avatars.githubusercontent.com/u/1857251?v=4)](https://github.com/Szpadel "Szpadel (1 commits)")

### Embed Badge

![Health badge](/badges/creativestyle-magesuite-vary-cookie-signer/health.svg)

```
[![Health](https://phpackages.com/badges/creativestyle-magesuite-vary-cookie-signer/health.svg)](https://phpackages.com/packages/creativestyle-magesuite-vary-cookie-signer)
```

###  Alternatives

[fastly/magento2

Fastly CDN Module for Magento 2.4.x

1564.2M1](/packages/fastly-magento2)[mage-os/module-automatic-translation

Automatic AI content translation for Mage-OS.

277.1k](/packages/mage-os-module-automatic-translation)[zepgram/module-rest

Technical module to industrialize API REST call with dependency injection pattern using Guzzle library

1326.2k](/packages/zepgram-module-rest)[graycore/magento2-graphql-introspection-cache

1015.2k](/packages/graycore-magento2-graphql-introspection-cache)[mage-os/mageos-common-async-events

Send REST requests to external endpoints asynchronously. This module implements the most common events like order creation and customer change.

147.7k2](/packages/mage-os-mageos-common-async-events)[mage-os/module-inventory-reservations-grid

Add a grid with the list of inventory reservations.

126.8k](/packages/mage-os-module-inventory-reservations-grid)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)