Using HTTP Cache for Logged-In Users

How to Enable HTTP Cache for Logged-in Users

By default, Shopware disables HTTP caching for logged-in users to prevent the accidental caching of personalized content. However, some performance tweaks in the official documentation describe how to enable it manually.

Default Behavior in Shopware

• Logged-in users do not use the HTTP cache by default.

• You can enable the cache manually via configuration as described in the Shopware documentation:

  • Shopware HTTP Cache Guide

  • Performance Tweaks

Risk When Enabling HTTP Cache for Logged-in Users

Shopware generates a cache hash based on several parameters:

• Rule IDs

• Currency ID

• Tax State

• Version ID

However, this cache hash does not include the customer ID. This means:

If two users share the same currency, tax state, and rule set, they may receive the same cache hash and therefore the same cached content.

This can result in a serious data protection issue, where logged-in customers might see personalized data (like headers, prices, etc.) from other customers.

Recommendation

• Do not enable HTTP caching for logged-in users unless you are absolutely sure your shop does not serve any personalized content.

• If you do enable it, you must customize the cache hash generation to ensure that each logged-in customer receives a unique cache version.

Our Solution: Per-Customer Cache Hash Plugin

To support scenarios where HTTP caching for logged-in users is required (e.g., for performance reasons), we’ve developed a lightweight, open-source Shopware plugin: B2B Customer Cache Index Plugin

This plugin:

• Listens to the kernel.response event

• Extends the HTTP cache hash with the customer ID (only when logged in)

• Ensures that every customer gets their own cache version

• Mitigates the risk of leaking personalized data via cache

Installation

You can download and install the plugin manually from the link below.