PHPackages                             creativestyle/magesuite-vary-cookie-signer - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. creativestyle/magesuite-vary-cookie-signer

ActiveMagento2-module[Utility &amp; Helpers](/categories/utility)

creativestyle/magesuite-vary-cookie-signer
==========================================

X-Magento-Vary Cookie Signer

v2.0.3(1y ago)018OSL-3.0PHP

Since Mar 29Pushed 1y ago4 watchersCompare

[ Source](https://github.com/magesuite/vary-cookie-signer)[ Packagist](https://packagist.org/packages/creativestyle/magesuite-vary-cookie-signer)[ Docs](https://creativestyle.de)[ RSS](/packages/creativestyle-magesuite-vary-cookie-signer/feed)WikiDiscussions 1.x Synced 3w ago

READMEChangelogDependencies (1)Versions (8)Used By (0)

Motivation
----------

[](#motivation)

Magento uses special cookie called `X-Magento-Vary` to distinguish between different variants of some pages (eg. PDP page for customers with special discount).

When varnish server is used this is handled by adding content of `X-Magento-Vary` cookie to hash key.

This can be abused to bypass varnish page cache and generate high load on php server by generating random value for every request.

This extension provide a way to verify valid cookie on varnish server by providing extra cookie called `X-Magento-Vary-Sign` containing sha1 hash of `X-Magento-Vary` cookie content and signing key (which should be random value). Without knowing secret, attacker isn't able to generate correctly signed cookie and we can verify it on varnish server and ignore incorrect values, therefore reuse cached page.

Magento configuration
---------------------

[](#magento-configuration)

Edit the /app/etc/env.php file to configure the signing key.

```
...
     'vary_cookie_sign' => [
            'key' => 'REPLACE_THIS_WITH_SIGNING_KEY'
     ]
...

```

Varnish configuration
---------------------

[](#varnish-configuration)

You need to install [uplex vmod\_blobdigest](https://code.uplex.de/uplex-varnish/libvmod-blobdigest) also available as RPM in [mageops repository](https://mageops.github.io/packages-rpm/).

Make sure you have those imports at the beginning of your VCL:

```
import blobdigest;
import cookie;
import blob;

```

Add to `sub vcl_init`

```
new sha1 =  blobdigest.digest(SHA1);

```

Add to `sub vcl_recv`

```
if (req.http.cookie ~ "X-Magento-Vary=") {
    cookie.parse(req.http.cookie);
    if(! sha1.update( blob.decode( encoded=cookie.get("X-Magento-Vary") + "REPLACE_THIS_WITH_SIGNING_KEY" ) ) ) {
         return (synth(500, "Internal Server Error"));
    }

    if ( blob.encode( encoding=HEX, case=LOWER, blob=sha1.final() ) != cookie.get("X-Magento-Vary-Sign") ) {
         cookie.delete("X-Magento-Vary");
         set req.http.cookie = cookie.get_string();
    }
}

```

NOTE: First if statement can only fail when `update` is called after `finish`, but this is not possible, however VCL do not allow calling object methods, therefore this function mainly as workaround to this limitation.

Do not forget to replace `REPLACE_THIS_WITH_SIGNING_KEY` with your unique random string, and make sure you use the same value in varnish and magento.

###  Health Score

31

—

LowBetter than 66% of packages

Maintenance38

Infrequent updates — may be unmaintained

Popularity6

Limited adoption so far

Community14

Small or concentrated contributor base

Maturity58

Maturing project, gaining track record

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~204 days

Recently: every ~164 days

Total

8

Last Release

494d ago

Major Versions

v1.0.1 → v2.0.02023-02-02

1.x-dev → 2.x-dev2025-02-25

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/6814811?v=4)[creativestyle](/maintainers/creativestyle)[@creativestyle](https://github.com/creativestyle)

---

Top Contributors

[![piotrmatras](https://avatars.githubusercontent.com/u/11822697?v=4)](https://github.com/piotrmatras "piotrmatras (4 commits)")[![Leone](https://avatars.githubusercontent.com/u/619464?v=4)](https://github.com/Leone "Leone (2 commits)")[![msiewierska](https://avatars.githubusercontent.com/u/73164807?v=4)](https://github.com/msiewierska "msiewierska (2 commits)")[![diwipl](https://avatars.githubusercontent.com/u/3406741?v=4)](https://github.com/diwipl "diwipl (1 commits)")[![pinkeen](https://avatars.githubusercontent.com/u/2019132?v=4)](https://github.com/pinkeen "pinkeen (1 commits)")[![Szpadel](https://avatars.githubusercontent.com/u/1857251?v=4)](https://github.com/Szpadel "Szpadel (1 commits)")

### Embed Badge

![Health badge](/badges/creativestyle-magesuite-vary-cookie-signer/health.svg)

```
[![Health](https://phpackages.com/badges/creativestyle-magesuite-vary-cookie-signer/health.svg)](https://phpackages.com/packages/creativestyle-magesuite-vary-cookie-signer)
```

###  Alternatives

[elgentos/regenerate-catalog-urls

Regenerate Catalog URL Rewrites (products, categories, cms pages)

2842.6M](/packages/elgentos-regenerate-catalog-urls)[nosto/module-nostotagging

Increase your conversion rate and average order value by delivering your customers personalized product recommendations throughout their shopping journey.

27703.7k4](/packages/nosto-module-nostotagging)[tig/postnl-magento2

TIG Magento 2 PostNL extension

59570.5k5](/packages/tig-postnl-magento2)[myparcelnl/magento

A Magento 2 module that creates MyParcel labels

1860.2k](/packages/myparcelnl-magento)[loki/magento2-components

Core module for defining Alpine.js components with advanced AJAX features

1011.8k26](/packages/loki-magento2-components)[zwernemann/module-withdrawal

Magento 2 EU Withdrawal Button Module - Adds a withdrawal/revocation button for orders in compliance with EU Directive (EU) 2023/2673

244.9k2](/packages/zwernemann-module-withdrawal)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
