email-alert-frontend: Decision Record: Session management for Email Alert Frontend
NOTE This ADR supersedes by ADR 001.
As part of implementing subscription management, we have decided to enable sessions in Email Alert Frontend. This will allow users to move through the subscription management interface without having to pass large query string parameters between pages.
## Technical implementation
The Varnish configration for
vcl_fetch that strips all cookies except for those set by Licensing has been modified to allow cookies for all pages under
Email Alert Frontend has been updated to enable CSRF protection for controllers that render pages under
Email Alert Frontend now explicitly sets the
Cache-Control HTTP header to
private. This signals to Fastly and our own Varnish caches that these pages should never be cached. This will prevent users from seeing other users' cached subscription data.