Working with Cookies on Pantheon

Tips and tricks for working with cookies on your Pantheon Drupal and WordPress sites.

Discuss in our Forum Discuss in Slack

This page covers working with basic cookies on Pantheon. If you're looking to create session based cookies to bypass caching, refer to Using Your Own Session-Syle Cookies from our Caching: Advanced Topics doc.

Disable Caching for Specific Pages

You can use regular expression(s) to determine if the current request ($_SERVER['REQUEST_URI']) should be excluded from cache. If the request matches, bypass cache by setting the NO_CACHE cookie in the response.

For example, this block sets NO_CACHE for all pages in the /news/ directory:

 * Set or replace $friendly_path accordingly.
 * We don't set this variable for you, so you must define it
 * yourself per your specific use case before the following conditional.
 * Example: anything in the /news/ directory

$friendly_path = '/news/';

if (preg_match('#^' . $friendly_path . '#', $_SERVER['REQUEST_URI'])) {
  $domain =  $_SERVER['HTTP_HOST'];
  setcookie('NO_CACHE', '1', time()+0, $friendly_path, $domain);

Be sure the friendly_path variable is properly set to restrict the cookie to the specific directory.

As an alternative to setting a NO_CACHE cookie within the response, you can modify the Cache-Control header to bypass cache on Pantheon.

Disable Caching in The Dev Environment

You may decide to disable caching in the Dev environment as you make changes to cacheable files like CSS, JavaScript or images so that you don't need to clear the cache to see these changes.

To bypass caching in the Dev environment, add the following to settings.php for Drupal and wp-config.php for WordPress:

  if ($_SERVER['PANTHEON_ENVIRONMENT'] === 'dev') {
    $domain = $_SERVER['HTTP_HOST'];
    setcookie('NO_CACHE', '1', time()+0, $_SERVER['REQUEST_URI'], $domain);

Cache-Busting Cookies

The following is the "Cache-Busting Cookie Patterns" section from Pantheon's Varnish configuration (.vcl) file for your reference. Advanced Drupal and WordPress developers should reference this if they have any questions regarding what cookie patterns the Global CDN will not cache:

bp_completed_create_steps # BuddyPress cookie used when creating groups
bp_new_group_id # BuddyPress cookie used when creating groups

Cache-Varying Cookies

Respond to a request with cached content depending on the presence and value of a particular cookie. It's important to note that in order for the response to be cached by Pantheon's edge, the cookie name must match STYXKEY[a-zA-Z0-9_-]+.

First, check to see if the cookie is set within the incoming request. If the cookie is set, store the value and use it to generate varied content as appropriate for your use case and implementation.


If the value has already been set, do not set the cookie again in the response. Varnish cannot cache a response that contains a Set-Cookie: header.

If the value is not set, respond with setcookie() to serve cached content for subsequent requests within the defined cookie lifetime.

The following example can be used interchangeably between WordPress and Drupal:

$bar = 'Around here, football is the winter sport of choice!';
if (isset($_COOKIE['STYXKEY_gorp'])) {

  $foo = $_COOKIE['STYXKEY_gorp'];
  // Generate varied content based on cookie value
  // Do NOT set cookies here; Set-Cookie headers do not allow the response to be cached
  if ($foo == 'ca') {
    str_replace('football', 'hockey', $bar);

  * Set local vars passed to setcookie()
  * Example:
  * @code
  * $name = 'STYXKEY_gorp';
  * $value = 'bar';
  * $expire = time()+600;
  * $path = '/foo';
  * $domain =  $_SERVER['HTTP_HOST'];
  * $secure = true;
  * $httponly = true;
  * @endcode
  setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);

Setting Cookies for Platform Domains

Setting cookies for the bare domain is not supported, as this would force all sites on the platform to read cookies from all other sites. However, you can set cookies for platform domains (e.g. and custom domains (e.g.,

The Pantheon Edge size limit for Cookies is 10K. Any larger cookies are dropped, and the request is processed as if there was no cookie sent. The header X-Cookies-Dropped: 1 is added to the request and response, indicating that they have been truncated.

Knowing this, you can choose to configure your code to listen for this header and respond, with a custom error page for example.

Note that too many set-cookie headers in the response can also create issues.

Static Files

Pantheon strips cookies for files with common static file extensions. See File Suffixes and Cookies in our Caching: Advanced Topics doc for more information.


It's important to note that for the response to be cached by Pantheon's edge, the cookie name must match the STYXKEY[a-zA-Z0-9_-]+ convention.

The best way to utilize cookies on Pantheon is by having the cookie name match the STYXKEY[a-zA-Z0-9_-]+ naming convention, and loading them in the first load, not on every page load. Refer to the sample code outlined here

No, the vcl cookie pattern is a platform wide setting and cannot be overridden. You will need to modify your code to have the cookie name prefix as STYXKEY_ and follow the sample code here in order for your site to be properly cached.

See Also