Merge pull request #3309 from bobdenotter/fix/no-cookies-in-frontend

Frontend requests should not set cookies. Remove them, to allow Varnish to do a better job of caching the request.
bolt · Apr 3, 2015 · 796a334 · 796a334
2 parents e860d01 + 972b18c
commit 796a334
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/src/Application.php b/src/Application.php
@@ -468,6 +468,24 @@ public function beforeHandler(Request $request)
         $this['stopwatch']->stop('bolt.app.before');
     }
 
+    /**
+     * Remove the 'bolt_session' cookie from the headers if it's about to be set.
+     *
+     * Note, we don't use $request->clearCookie (logs out a logged-on user) or
+     * $request->removeCookie (doesn't prevent the header from being sent).
+     */
+    public function unsetSessionCookie()
+    {
+        if (!headers_sent()) {
+            $headersList = headers_list();
+            foreach($headersList as $header) {
+                if (strpos($header, "Set-Cookie: bolt_session=") === 0) {
+                    header_remove("Set-Cookie");
+                }
+            }
+        }
+    }
+
     /**
      * Global 'after' handler. Adds 'after' HTML-snippets and Meta-headers to the output.
      *
@@ -479,6 +497,11 @@ public function afterHandler(Request $request, Response $response)
         // Start the 'stopwatch' for the profiler.
         $this['stopwatch']->start('bolt.app.after');
 
+        // Don't set 'bolt_session' cookie, if we're in the frontend or async.
+        if ($this['config']->getWhichEnd() != 'backend') {
+            $this->unsetSessionCookie();
+        }
+
         // Set the 'X-Frame-Options' headers to prevent click-jacking, unless specifically disabled. Backend only!
         if ($this['config']->getWhichEnd() == 'backend' && $this['config']->get('general/headers/x_frame_options')) {
             $response->headers->set('X-Frame-Options', 'SAMEORIGIN');