Skip to main content
Warning This document has not been updated for a while now. It may be out of date.
Last updated: 22 Mar 2018

email-alert-frontend: Decision Record: Session management for Email Alert Frontend

NOTE This ADR supersedes by ADR 001.


As part of implementing subscription management, we have decided to enable sessions in Email Alert Frontend. This will allow users to move through the subscription management interface without having to pass large query string parameters between pages.

## Technical implementation

The Varnish configration for vcl_recv and vcl_fetch that strips all cookies except for those set by Licensing has been modified to allow cookies for all pages under /email. This will enable sessions to work once we start setting session data.

CSRF protection

Email Alert Frontend has been updated to enable CSRF protection for controllers that render pages under /email since cookies are now set for these pages. This fixes some of the issues referred to in ADR 001.

Cache-Control headers

Email Alert Frontend now explicitly sets the Cache-Control HTTP header to private. This signals to Fastly and our own Varnish caches that these pages should never be cached. This will prevent users from seeing other users' cached subscription data.