1. Caching set cookies Caching an object with a Set-Cookie header can have devastating effects, as any client requesting the object will get that same cookie set. This can potentially lead to a session transfer. In general we recommend avoiding the use of return (deliver) in vcl_fetch, to stay safe against this. If you really do need a return (deliver), be careful and check for the presence of Set