From 0ec6a26d7cea4e9e388f1e3579c67804963e0608 Mon Sep 17 00:00:00 2001
From: Tommy George <github.com@tommygeorge.com>
Date: Mon, 11 Nov 2019 11:43:21 -0600
Subject: [PATCH] Fix password-protected pages

WordPress allows password protecting pages, per https://wordpress.org/support/article/using-password-protection/

When the end-user enters a password, WordPress sets a cookie value prefixed `wp-postpass_` followed by a hash for the URL.

Previously, since cookies are stripped, the page just "reloads" the cached version after an end user enters the page password.

This change to the VCL bypasses cache for folks with that cookie set.

To be fair, this does seem awfully broad, but I'm not sure how to resolve this for only the specific URLs in question. So this is my cheap workaround for the moment. My hope is this at least sparks conversation or brings someone along who knows more about how to *more correctly* do this (page specific?) if this change doesn't seem right for you.
---
 vcl_snippets/recv.vcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vcl_snippets/recv.vcl b/vcl_snippets/recv.vcl
index fcaf8cb..f1b2cff 100644
--- a/vcl_snippets/recv.vcl
+++ b/vcl_snippets/recv.vcl
@@ -24,7 +24,7 @@
 
   if ( req.http.Cookie ) {
     ### do not cache authenticated sessions
-    if (req.http.Cookie ~ "(wordpress_|PHPSESSID)") {
+    if (req.http.Cookie ~ "(wordpress_|wp-postpass_|PHPSESSID)") {
       set req.http.X-Pass = "1";
     } else if (!req.http.X-Pass) {
       # Cleans up cookies by removing everything except vendor_region, PHPSESSID and themetype2