Yii

YII2 and SYMFONY2 - how are things going with sessions?

Some time I write on YII (the first branch). Now a project is being prepared, which is waiting for a high load.
There is a dedicated server 16 processors, 24G RAM. It has CentOS 6.5 with KWM ( host ), KWM has Debian 7.3 ( virtual server )
. On the host, nginx acts as a load balancer (it is planned to install the 2nd, 3rd ... Nth server in case of resource shortage). It can also act as a transparent proxy (I haven’t set it up yet, due to the same rake that is described below).
On the NGINX + PHP5-FPM virtual machine, and the site itself on YII
So, when setting up fastcgi_cacheI ran into an insurmountable problem, the fact is that a cookie with PHPSESSID also flies into the cache, therefore the first one to come in and generate the cache with his session, and the second third and so on (until the cache goes out) will receive other people's cookies in this way. You can, of course, not let the cookie into the cache (fastcgi_hide_header "Set-Cookie";) BUT! then authorization does not work, since it is in cookies that YII stores the CSRF token.
The trouble is that YII starts a session even for non-authorized users, and 'autoStart'=>false in the config won't help, since the session will still start on the first call to Yii::app()->user .
Question to YII2 and SYMFONY2 connoisseurs, do these frameworks for guests also start the session or not?
Question number 2 - maybe there is a way to beautifully solve "my" problem?