Hi every one, I have to activate Cloudflare html cache to reduce the server load, so I have written a Middleware that

• sets Cache-Control to "public, max-age=14400" (default form Symfony\Component\HttpFoundation\ResponseHeaderBag is "no-cache, private")
• removes Set-Cookie form the response (october_session cookie!) for frontend pages without forms.

I have to remove october_session cookie because Cloudflare html cache is a shared cache "Cloudflare will not cache when there is a cookie in responses unless you enforce Edge cache TTL to overwrite the behavior. If that’s the case, Cloudflare will cache even cookies are there, hence, same cookies would be delivered for every user." Source: https://community.cloudflare.com/t/cookies-and-cache-sharing-cookie-values/49073

This is the Middleware handle function; isRelevant() excludes non html, backend and private requests. public function handle(LaravelRequest $request, Closure $next) {

    $response = $next($request);

    // Only handle default responses (no redirects)
    // Ignore non-html responses and backend responses
    // change the default Cache-Control: no-cache, private,
    if ( ! $this->isRelevant($request, $response)) {
        return $response;
    }

    if($cacheControl = Config::get('myplugin.meta::cacheControl')) {
      $response->headers->set('Cache-Control', $cacheControl);
      if (false === strpos($cacheControl, 'no-cache')) {
        /*
        vendor/symfony/http-foundation/Response.php
        // Check if we need to send extra expire info headers
        public function prepare(Request $request)
        if ('1.0' == $this->getProtocolVersion() && false !== strpos($headers->get('Cache-Control'), 'no-cache')) {
            $headers->set('pragma', 'no-cache');
            $headers->set('expires', -1);
        }
        */
        $response->headers->remove('pragma');
        $response->headers->remove('expires');
      }

      // remove response cookie to allow shared caching
      if (false === strpos($cacheControl, 'private')) {
        $response->headers->remove('Set-Cookie');
      }
    }
    return $response;
}

Everything seems to work well, but the question is: Do you see any drawback in removing october_session form the response?

Thank you in advance!

you won't be able to maintain a session between requests, so you won't be able to have front-end/backend users logged in.

Hello @mjauvin, thanks for your answer. All the pages where I would remove the Set-Cookie are anonymous, their content does not depend on front-end/backend users and the are no forms, so there's no need of sessionKey or CSRF fields. As they say in Cloudflare documentation "If there is a cookie in the response, then Cloudflare does not cache the resource". And it's cool, since that cookie would be shared between all users. I made some tests and for now seems to work well, and I have no other ideas.

Thanks for your work!

@luketowers any feedback on this one?

Should be fine so long as you don't need them to use any session data, i.e. something like a marketing popup

Thank you @LukeTowers. Everything seems ok. On backend the october_session cookie changes on each response and is accepeted by the browser, while on frontend remains the same, on the request. I'll add this plugin https://octobercms.com/plugin/heathdutton-cloudflare to prevent Rocket Loader js issues on the backend. Thank you!

Thank you @massimo.megistus for help our team!

Last updated 3 years ago