Session cookie breaks varnish caching

Is there a reason why anonymous users are getting cookies set? Is it not enough to set these variables in cookies/session for users once they're logged in?

In the absence of a fix, is there an alternative to using autologout to force a logout?

I read something on Fourkitchens that says the solution is to disable the module :( !!!

Try this: Update the autologout_boot function to:

function autologout_boot() {
  global $user;
  if($user->uid < 1) {
    return;
  }
  
  if ( !isset($_SESSION['autologout_hits']) ) {
    $_SESSION['autologout_hits'] = array();
  }
  $_SESSION['autologout_hits'][] = time();
}

The first few lines prevent an anonymous user from getting a session cookie.

PS: A BIG THANKS to Anthony R. from Chapter Three for providing this fix! Works in D7, try it in D6 and update the thread. Looks like it will work there as well.

The autologout_boot() function does not exist in version 6.x-4.0? I'm using D6

From what I check on its code, this D6 module has overcome this issue by

/**
 * Implementation of hook_init().
 */
function autologout_init() {
  global $user;
  if ($user->uid && _autologout_logout_role($user)) {
    // should we be enforcing on admin pages?
    if (arg(0) == 'admin' && !variable_get('autologout_enforce_admin', FALSE)) {
      return;
    }

So that we can configure the anonymous user permission to not using autologout feature. Then they will not be given server side cookie (session) and Varnish caching won't break. Anyone can confirm this?

Confirmed
autologout 6.x-2.6 varnish caching broken
autologout 6.x-4.0 varnish caching works

Patch against version 6.x-2.x-dev (where it is still not fixed) attached.

Slightly better patch, not using user_is_anonymous(), as it is not available yet at this stage (in hook_boot()) when called by drush. Instead, it just replicated its code.

This patch has been committed.

@maciej.zgadzaj - thanks for the patch