If the role cookie expires before a session cookie expires and caching is varied on role, the following situation could happen:
- Session cookie lifetime set to greater than 1 day
- The page is varied on the role cookie
1. User A logs in with the "Special user role"
2. After 1 day (default esi_seed_key_rotation_interval) User A's role cookie expires
3. User B, who is anonymous (and doesn't have a role cookie), visits a page and the anonymous version is cached
4. User A, visits that page. Because he has no role cookie, the cache assumes he is anonymous and serves the cached anonymous version
Because of this, the role cookie should always be saved at least as long as the session cookie. Patch attached.