magento2 – Magento 2 Varnish caching add to cart session from another user

When adding an item to cart, it will also show a second item, which I have previously added to cart from a different device. If I bypass varnish cache, cart seems to work ok. Guess I am missing a setting about cookies and session? Here is my Varnish default.vcl

# VCL version 5.0 is not supported so it should be 4.0 even though actually used Varnish version is 6
vcl 4.1;

import std;

backend default {
    .path = "/run/nginx/nginx.sock";
    #.host = "localhost";
    #.port = "8080";
    .first_byte_timeout = 600s;
    .probe = {
        .url = "/health_check.php";
        .timeout = 2s;
        .interval = 5s;
        .window = 10;
        .threshold = 5;
   }
}

acl purge {
    "localhost";
    "127.0.0.1";
}


sub vcl_recv {


    # Implementing websocket support (https://www.varnish-cache.org/docs/4.0/users-guide/vcl-example-websockets.html)
    if (req.http.Upgrade ~ "(?i)websocket") {
    return (pipe);
    }

    #Forbidd deny IPs
     if (client.ip ~ forbidden) {
        return(synth(403, "Forbidden"));
      }

    # Normalize hostname to avoid double caching
    set req.http.host = regsub(req.http.host,
    "^mysite.com$", "www.mysite.com"); 
       
    # Allow purging from ACL
    if (req.method == "PURGE") {
        if (client.ip !~ purge) {
            return (synth(405, "Method not allowed"));
     }

# To use the X-Pool header for purging varnish during automated deployments, make sure the X-Pool header
# has been added to the response in acl purgeyour backend server config. This is used, for example, by the
# capistrano-magento2 gem for purging old content from varnish during it's deploy routine.
        if (!req.http.X-Magento-Tags-Pattern && !req.http.X-Pool) {
            return (synth(400, "X-Magento-Tags-Pattern or X-Pool header required"));
        }
        if (req.http.X-Magento-Tags-Pattern) {
          ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
        }
        if (req.http.X-Pool) {
          ban("obj.http.X-Pool ~ " + req.http.X-Pool);
        }
       return (purge);
    }

################

# Brotli Compression
if(req.http.Accept-Encoding ~ "br" && req.url !~
            ".(jpg|png|gif|gz|mp3|mov|avi|mpg|mp4|swf|wmf)$") {
        set req.http.X-brotli = "true";
    }

# Tell PageSpeed not to use optimizations specific to this request.
  set req.http.PS-CapabilityList = "fully general optimizations only";

# Don't allow external entities to force beaconing.
  #unset req.http.PS-ShouldBeacon;

### Cookies

    # Remove any Google Analytics based cookies
      set req.http.Cookie = regsuball(req.http.Cookie, "__utm.=(^;)+(; )?", "");
      set req.http.Cookie = regsuball(req.http.Cookie, "_ga=(^;)+(; )?", "");
      set req.http.Cookie = regsuball(req.http.Cookie, "_gat=(^;)+(; )?", "");
      set req.http.Cookie = regsuball(req.http.Cookie, "utmctr=(^;)+(; )?", "");
      set req.http.Cookie = regsuball(req.http.Cookie, "utmcmd.=(^;)+(; )?", "");
      set req.http.Cookie = regsuball(req.http.Cookie, "utmccn.=(^;)+(; )?", "");

    # Remove DoubleClick offensive cookies
    set req.http.Cookie = regsuball(req.http.Cookie, "__gads=(^;)+(; )?", "");

    # Remove the AddThis cookies
    set req.http.Cookie = regsuball(req.http.Cookie, "__atuv.=(^;)+(; )?", "");

    # Remove has_js and Cloudflare/Google Analytics __* cookies.
    set req.http.Cookie = regsuball(req.http.Cookie, "(^|;s*)(_(_a-z)+|has_js)=(^;)*", "");
    # Remove a ";" prefix, if present.
    set req.http.Cookie = regsub(req.http.Cookie, "^;s*", "");
        
    #Redirect

    if (req.http.X-Forwarded-Proto !~ "(?i)https" ) {
        set req.http.x-Redir-Url = "https://" + req.http.host + req.url;
        return ( synth( 750 ));
       }

    # Setting http headers for backend
    set req.http.X-Forwarded-For = client.ip;
    set req.http.X-Forwarded-Proto = "https";

    # Unset headers that might cause us to cache duplicate infos
    unset req.http.Accept-Language;
    unset req.http.User-Agent;
    
    ### Do not Cache: special cases ###

    # Do not cache AJAX requests.
    if (req.http.X-Requested-With == "XMLHttpRequest") {
    return(pass);
    }

    # Post requests will not be cached
    if (req.http.Authorization || req.method == "POST") {
    return (pass);
    }
        
    # on PROXY connections the server.ip is the IP the client connected to.
    # (typically the DNS-visible SSL/TLS virtual IP)
    
    std.log("Client connected to " + server.ip);
    if (std.port(server.ip) || 443) {
    
        # client.ip for PROXY requests is set to the real client IP, not the
        # SSL/TLS terminating proxy.
    
        std.log("Real client connecting over SSL/TLS from " + client.ip);
    
        }
        # Exclude from cache

        }
        if (req.url ~ "^/pagespeed_admin") {
        return(pass);
        }
        if (req.url ~ "^/pagespeed_global_admin") {
        return(pass);
        }
        # Bypass shopping cart, checkout
        if (req.url ~ "^/checkout") {
        return (pass);
        }

    if (req.http.User-Agent ~ "GoogleStackdriverMonitoring-UptimeChecks") {
        return(pass);
        }
        # Don't cache pagespeed as it already caches it's recources
        if (req.url ~ ".pagespeed.((a-z).)?(a-z){2}.(^.){20}.(^.)+") {
        return (pass);
        }

    #If too many restarts
        if (req.restarts > 0) {
        set req.hash_always_miss = true;
        }

############################

# Only deal with "normal" types
    if (req.method != "GET" &&
        req.method != "HEAD" &&
        req.method != "PUT" &&
        req.method != "POST" &&
        req.method != "TRACE" &&
        req.method != "OPTIONS" &&
        req.method != "DELETE") {
          /* Non-RFC2616 or CONNECT which is weird. */
          return (pipe);
    }

    # We only deal with GET and HEAD by default
    if (req.method != "GET" && req.method != "HEAD") {
        return (pass);
    }

    # Bypass health check requests
    if (req.url ~ "/pub/health_check.php") {
        return (pass);
    }

    # Set initial grace period usage status
    set req.http.grace = "none";

    # normalize url in case of leading HTTP scheme and domain
    set req.url = regsub(req.url, "^http(s)?://", "");

    # collect all cookies
    std.collect(req.http.Cookie);

    # Compression filter. See https://www.varnish-cache.org/trac/wiki/FAQ/Compression
    if (req.http.Accept-Encoding) {
        if (req.url ~ ".(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
       # No point in compressing these
          unset req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            # unknown algorithm
            unset req.http.Accept-Encoding;
        }
    }

    # Remove all marketing get parameters to minimize the cache objects
    if (req.url ~ "(?|&)(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_(a-z)+|utm_(a-z)+|_bta_(a-z)+)=") {
        set req.url = regsuball(req.url, "(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_(a-z)+|utm_(a-z)+|_bta_(a-z)+)=(-_A-z0-9+()%.)+&?", "");
        set req.url = regsub(req.url, "(?|&)+$", "");
    }

    # Static files caching
    if (req.url ~ "^/(pub/)?(media|static)/.*.(ico|html|css|js|jpg|jpeg|png|gif|tiff|webp|bmp|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)$") {
       # Static files should not be cached by default
        return (pass);

        #But if you use a few locales and don't use CDN you can enable caching static files by commenting previous line (#return (pass);) and uncommenting next 3 lines
        #unset req.http.Https;
        #unset req.http.X-Forwarded-Proto;
        #unset req.http.Cookie;
    }

    # Authenticated GraphQL requests should not be cached by default
    if (req.url ~ "/graphql" && req.http.Authorization ~ "^Bearer") {
        return (pass);
    }

    return (hash);
}

sub vcl_synth {

if (resp.status == 750) {
        set resp.status = 301;
        set resp.http.Location = req.http.x-Redir-Url;
        return(deliver);
    }
}
sub vcl_hash {
    # Brotli
    if(req.http.X-brotli == "true" && req.http.X-brotli-unhash != "true") {
        hash_data("brotli");
    }
    if (req.http.cookie ~ "X-Magento-Vary=") {
        hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=((^;)+);*.*$", "1"));
    }

    # For multi site configurations to not cache each other's content
    if (req.http.host) {
        hash_data(req.http.host);
    } else {
        hash_data(server.ip);
    }

    if (req.url ~ "/graphql") {
        call process_graphql_headers;
    }

}

sub process_graphql_headers {
    if (req.http.Store) {
        hash_data(req.http.Store);
    }
    if (req.http.Content-Currency) {
        hash_data(req.http.Content-Currency);
    }
}


#Brotli
sub vcl_backend_fetch {
    if(bereq.http.X-brotli == "true") {
        set bereq.http.Accept-Encoding = "br";
        unset bereq.http.X-brotli;
    }
}

sub vcl_pipe {
    if (req.http.upgrade) {
      set bereq.http.upgrade = req.http.upgrade;
    }

    return (pipe);
  }

sub vcl_backend_response {
set beresp.http.X-Host = bereq.http.host;

 set beresp.grace = 3d;

#PageSpeed
if (beresp.http.Content-Type ~ "text/html") {
     unset beresp.http.Cache-Control;
     set beresp.http.Cache-Control = "no-cache, max-age=0";
   }
   return (deliver);    


if (beresp.http.content-type ~ "text") {
        set beresp.do_esi = true;
    }

    if (bereq.url ~ ".js$" || beresp.http.content-type ~ "text") {
        set beresp.do_gzip = true;
    }

    if (beresp.http.X-Magento-Debug) {
        set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
    }

   # cache only successfully responses and 404s
    if (beresp.status != 200 && beresp.status != 404) {
        set beresp.ttl = 0s;
        set beresp.uncacheable = true;
        return (deliver);
    } elsif (beresp.http.Cache-Control ~ "private") {
        set beresp.uncacheable = true;
        set beresp.ttl = 86400s;
        return (deliver);
    }

    # validate if we need to cache it and prevent from setting cookie
    if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
        unset beresp.http.set-cookie;
    #unsets the cookie for GET or HEAD requests.
    if (bereq.url !~ ".(ico|css|js|jpg|jpeg|png|gif|tiff|bmp|gz|tgz|bz2|tbz|mp3|ogg|svg|swf|woff|woff2|eot|ttf|otf)(?|$)") {
  set beresp.http.Pragma = "no-cache";
  set beresp.http.Expires = "-1";
  set beresp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
  }
}

   # "Microcache" for search
   if (bereq.url ~ "/catalogsearch") {
       set beresp.ttl = 30m;
   }

   # If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
   if (beresp.ttl <= 0s ||
       beresp.http.Surrogate-control ~ "no-store" ||
       (!beresp.http.Surrogate-Control &&
       beresp.http.Cache-Control ~ "no-cache|no-store") ||
       beresp.http.Vary == "*") {
        # Mark as Hit-For-Pass for the next 2 minutes
        set beresp.ttl = 120s;
        set beresp.uncacheable = true;
    }

    return (deliver);
}

sub vcl_deliver {
    if (resp.http.X-Magento-Debug) {
        if (resp.http.x-varnish ~ " ") {
            set resp.http.X-Magento-Cache-Debug = "HIT";
            set resp.http.Grace = req.http.grace;
        } else {
            set resp.http.X-Magento-Cache-Debug = "MISS";
        }
    } else {
        unset resp.http.Age;
    }


    unset resp.http.X-Magento-Debug;
    unset resp.http.X-Magento-Tags;
    unset resp.http.X-Powered-By;
    unset resp.http.Server;
    unset resp.http.X-Varnish;
    unset resp.http.Via;
    unset resp.http.Link;
}


sub vcl_hit {

    if (obj.ttl >= 0s) {
        # Hit within TTL period
        return (deliver);
    }
    if (std.healthy(req.backend_hint)) {
        if (obj.ttl + 300s > 0s) {
            # Hit after TTL expiration, but within grace period
            set req.http.grace = "normal (healthy server)";
            return (deliver);
        } else {
            # Hit after TTL and grace expiration
            return (restart);
        }
    } else {
        # server is not healthy, retrieve from cache
        set req.http.grace = "unlimited (unhealthy server)";
        return (deliver);
    }
}


#Brotli
sub vcl_purge {
 
   # repeat purge for brotli or gzip object 
    # (force hash/no hash on "brotli" while doing another purge)
    # set Accept-Encoding: gzip so that we don't get brotli-encoded response upon purge

    if (req.url !~ ".(jpg|png|gif|gz|mp3|mov|avi|mpg|mp4|swf|wmf)$" && 
            !req.http.X-brotli-unhash) {
        if (req.http.X-brotli == "true") {
            set req.http.X-brotli-unhash = "true";
            set req.http.Accept-Encoding = "gzip";
        } else {
            set req.http.X-brotli-unhash = "false";
            set req.http.Accept-Encoding = "br";
        }        
        return (restart);
    } 
}