diff --git a/cookbook/cache/varnish.rst b/cookbook/cache/varnish.rst
index 6e1ac0c32b7..41ae548aafa 100644
--- a/cookbook/cache/varnish.rst
+++ b/cookbook/cache/varnish.rst
@@ -72,11 +72,10 @@ If you know for sure that the backend never uses sessions or basic
 authentication, have varnish remove the corresponding header from requests to
 prevent clients from bypassing the cache. In practice, you will need sessions
 at least for some parts of the site, e.g. when using forms with
-:ref:`CSRF Protection <forms-csrf>`. In this situation, make sure to only
-start a session when actually needed, and clear the session when it is no
-longer needed. Alternatively, you can look into :doc:`../cache/form_csrf_caching`.
-
-.. todo link "only start a session when actually needed" to cookbook/session/avoid_session_start once https://github.com/symfony/symfony-docs/pull/4661 is merged
+:ref:`CSRF Protection <forms-csrf>`. In this situation, make sure to
+:doc:`only start a session when actually needed </cookbook/session/avoid_session_start>`
+and clear the session when it is no longer needed. Alternatively, you can look
+into :doc:`/cookbook/cache/form_csrf_caching`.
 
 Cookies created in Javascript and used only in the frontend, e.g. when using
 Google analytics are nonetheless sent to the server. These cookies are not