New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Always a session cookie? #726

Closed
Musiksammler opened this Issue Mar 27, 2013 · 19 comments

Comments

Projects
None yet
@Musiksammler

Musiksammler commented Mar 27, 2013

Hello!

I'm working on a relaunch of my site with laravel4 as the basis. Everything is okay but one thing bothers me. Even if I'm not doing anything on the site except for surfing around there is always the laravel session cookie set.

As I'm planning to use varnish in front of my application this session cookie will break all caching in varnish. I could erase it in the request in varnish before sending it to the backend but then I won't have a session cookie when I really need it. For example when a user logs in.

So, is it somehow possible that this session cookie is not set unless it's really needed? Or would it break certain functionality if this cookie is not there?

Greetings
Carsten

@taylorotwell

This comment has been minimized.

Show comment
Hide comment
@taylorotwell

taylorotwell Mar 27, 2013

Member

If you don't need session cookies, use the array session driver.

Member

taylorotwell commented Mar 27, 2013

If you don't need session cookies, use the array session driver.

@Musiksammler

This comment has been minimized.

Show comment
Hide comment
@Musiksammler

Musiksammler Mar 28, 2013

No, that wouldn't work. I need sessions (and so the cookie) but only at a certain point. For example if a user logs in. For normal guest visitors I don't need a session or the cookie.

I don't think that I can change the session driver during runtime?

Musiksammler commented Mar 28, 2013

No, that wouldn't work. I need sessions (and so the cookie) but only at a certain point. For example if a user logs in. For normal guest visitors I don't need a session or the cookie.

I don't think that I can change the session driver during runtime?

@roberto-butti

This comment has been minimized.

Show comment
Hide comment
@roberto-butti

roberto-butti Jun 14, 2013

I have the same situation. I'm loooking if there is a way to "start_session" when i really need.

roberto-butti commented Jun 14, 2013

I have the same situation. I'm loooking if there is a way to "start_session" when i really need.

@bmtKIA6

This comment has been minimized.

Show comment
Hide comment
@bmtKIA6

bmtKIA6 Sep 26, 2013

+1

Some HTTP caching servers completely ignore pages with "Set-Cookie" headers.

bmtKIA6 commented Sep 26, 2013

+1

Some HTTP caching servers completely ignore pages with "Set-Cookie" headers.

@aykutfarsak

This comment has been minimized.

Show comment
Hide comment
@aykutfarsak

aykutfarsak Nov 23, 2013

Contributor

+1

There must be a option about that: "start session only if it needs"

Contributor

aykutfarsak commented Nov 23, 2013

+1

There must be a option about that: "start session only if it needs"

@jtolj

This comment has been minimized.

Show comment
Hide comment
@jtolj

jtolj Dec 15, 2013

You can do what Taylor suggests as a route filter. Just apply it to the routes or route groups where you don't want a session cookie created.

Example:

Route::filter('nocookie', function(){
    Config::set('session.driver', 'array');
});

jtolj commented Dec 15, 2013

You can do what Taylor suggests as a route filter. Just apply it to the routes or route groups where you don't want a session cookie created.

Example:

Route::filter('nocookie', function(){
    Config::set('session.driver', 'array');
});
@lucasRolff

This comment has been minimized.

Show comment
Hide comment
@lucasRolff

lucasRolff Mar 15, 2014

@jtolj This won't work, since if you already have the cookie, it seems like setting a different session driver, doesn't really fix the problem for reverse proxies. I know it executes the filter (I added some very basic logging to the filter).

So there needs to be found another solution for this, for laravel to properly work with varnish or any other reverse proxy.

lucasRolff commented Mar 15, 2014

@jtolj This won't work, since if you already have the cookie, it seems like setting a different session driver, doesn't really fix the problem for reverse proxies. I know it executes the filter (I added some very basic logging to the filter).

So there needs to be found another solution for this, for laravel to properly work with varnish or any other reverse proxy.

@jtolj

This comment has been minimized.

Show comment
Hide comment
@jtolj

jtolj Mar 19, 2014

@lucasRolff This solution is working fine for me using nginx as a caching proxy. There is no Set-Cookie header in server responses for routes that use that filter.

I'm not that familiar with Varnish, but it looks like by default it does not cache if the client sends a cookie header.

I don't think that can be resolved by Laravel - once a cookie is set on a domain for a user, the client will always send it back. It does look like you can configure Varnish to ignore cookies for certain urls/conditions: https://www.varnish-cache.org/docs/3.0/tutorial/cookies.html

jtolj commented Mar 19, 2014

@lucasRolff This solution is working fine for me using nginx as a caching proxy. There is no Set-Cookie header in server responses for routes that use that filter.

I'm not that familiar with Varnish, but it looks like by default it does not cache if the client sends a cookie header.

I don't think that can be resolved by Laravel - once a cookie is set on a domain for a user, the client will always send it back. It does look like you can configure Varnish to ignore cookies for certain urls/conditions: https://www.varnish-cache.org/docs/3.0/tutorial/cookies.html

@noguespi

This comment has been minimized.

Show comment
Hide comment
@noguespi

noguespi Aug 13, 2014

This doesn't works with cookie session driver because cookie session create two cookies : laravel_session and random_name (which probably contains the session data).

If I set session.driver => array in my filter it will only remove the laravel_session cookie, not the random one, hence, the caching doesn't works.

Moreover, setting session.driver => array will just prevent to send the laravel_session cookie, but the session will be created on the server (filesystem, database, ... depending of your original session).

So it sounds more like a hack, we need a way to be able to disable sessions by default and activate them only if the client reach a certain route (/authentication) or if the client sends a session cookie with a valid session.

This will make easier integration of laravel with http caching.

noguespi commented Aug 13, 2014

This doesn't works with cookie session driver because cookie session create two cookies : laravel_session and random_name (which probably contains the session data).

If I set session.driver => array in my filter it will only remove the laravel_session cookie, not the random one, hence, the caching doesn't works.

Moreover, setting session.driver => array will just prevent to send the laravel_session cookie, but the session will be created on the server (filesystem, database, ... depending of your original session).

So it sounds more like a hack, we need a way to be able to disable sessions by default and activate them only if the client reach a certain route (/authentication) or if the client sends a session cookie with a valid session.

This will make easier integration of laravel with http caching.

@noguespi

This comment has been minimized.

Show comment
Hide comment
@noguespi

noguespi Aug 13, 2014

I found a way to disable the session before their initialization, I added the following ServiceProvider :

<?php namespace Rejector;

use Illuminate\Support\ServiceProvider;

class SessionRejectorServiceProvider extends ServiceProvider {


    public function register()
    {
        $this->app->bind('session.reject',function(){

            return function($req){

                if( preg_match('|^public/[0-9]+.html|',$req->path()) ){
                    // will override session.driver to array BEFORE session initialization and before any filter
                    return true; 
                }

                return false;
            };
        });        
    }


}
?>

This way the "random" cookie containing the session data won't be added (and the others sessions files won't be created neither if you use file/database/memecache drivers)

noguespi commented Aug 13, 2014

I found a way to disable the session before their initialization, I added the following ServiceProvider :

<?php namespace Rejector;

use Illuminate\Support\ServiceProvider;

class SessionRejectorServiceProvider extends ServiceProvider {


    public function register()
    {
        $this->app->bind('session.reject',function(){

            return function($req){

                if( preg_match('|^public/[0-9]+.html|',$req->path()) ){
                    // will override session.driver to array BEFORE session initialization and before any filter
                    return true; 
                }

                return false;
            };
        });        
    }


}
?>

This way the "random" cookie containing the session data won't be added (and the others sessions files won't be created neither if you use file/database/memecache drivers)

@mhayes14

This comment has been minimized.

Show comment
Hide comment
@mhayes14

mhayes14 Oct 11, 2014

Contributor

It would be fantastic if we could have a real solution to this built into L5. :-)

Contributor

mhayes14 commented Oct 11, 2014

It would be fantastic if we could have a real solution to this built into L5. :-)

@taylorotwell

This comment has been minimized.

Show comment
Hide comment
@taylorotwell

taylorotwell Oct 11, 2014

Member

The best solution is to override the Session\Writer middleware with your own.

Member

taylorotwell commented Oct 11, 2014

The best solution is to override the Session\Writer middleware with your own.

@Xethron

This comment has been minimized.

Show comment
Hide comment
@Xethron

Xethron Nov 2, 2014

Contributor

Also have this problem.

We have cellphone apps that aren't cookie aware, and end up with roughly 18000 unused sessions, making garbage collection a tedious and long task.

Yes, I know, there are many solutions to solve this, but for a small website which normally only has about 100 active sessions, it seems like an overkill to install reddis just because 99.5% of all sessions are unused.

Contributor

Xethron commented Nov 2, 2014

Also have this problem.

We have cellphone apps that aren't cookie aware, and end up with roughly 18000 unused sessions, making garbage collection a tedious and long task.

Yes, I know, there are many solutions to solve this, but for a small website which normally only has about 100 active sessions, it seems like an overkill to install reddis just because 99.5% of all sessions are unused.

@jcbedier

This comment has been minimized.

Show comment
Hide comment
@jcbedier

jcbedier Nov 4, 2014

Hello,

Is there any news about this issue ?

This is against all hight traffic websites.

Regards,

jcbedier commented Nov 4, 2014

Hello,

Is there any news about this issue ?

This is against all hight traffic websites.

Regards,

@brycelarge

This comment has been minimized.

Show comment
Hide comment
@brycelarge

brycelarge Nov 5, 2014

Yes, please can we have a fix for this in a new release of Laravel. Sessions should only be created once needed.

brycelarge commented Nov 5, 2014

Yes, please can we have a fix for this in a new release of Laravel. Sessions should only be created once needed.

@Xethron

This comment has been minimized.

Show comment
Hide comment
@Xethron

Xethron Nov 18, 2014

Contributor

Any news on this? We've gone up to over 50,000 sessions, with roughly 100-500 being "real" logged in sessions.

Contributor

Xethron commented Nov 18, 2014

Any news on this? We've gone up to over 50,000 sessions, with roughly 100-500 being "real" logged in sessions.

@mreschke

This comment has been minimized.

Show comment
Hide comment
@mreschke

mreschke Nov 22, 2014

Contributor

Trying to force the session to array at run-time for non-logged in user doesn't work either, Config::set('session.driver', 'array)...still creates a new session file with every click, would be nice to override at runtime

Contributor

mreschke commented Nov 22, 2014

Trying to force the session to array at run-time for non-logged in user doesn't work either, Config::set('session.driver', 'array)...still creates a new session file with every click, would be nice to override at runtime

@mreschke

This comment has been minimized.

Show comment
Hide comment
@taylorotwell

This comment has been minimized.

Show comment
Hide comment
@taylorotwell

taylorotwell Nov 22, 2014

Member

It's also easy to accomplish this in L5 by overriding the middleware.

On Friday, November 21, 2014, Matthew Reschke notifications@github.com
wrote:

This is the solution
http://stackoverflow.com/questions/26473106/prevent-sessions-for-routes-in-laravel-custom-on-demand-session-handling


Reply to this email directly or view it on GitHub
#726 (comment).

Member

taylorotwell commented Nov 22, 2014

It's also easy to accomplish this in L5 by overriding the middleware.

On Friday, November 21, 2014, Matthew Reschke notifications@github.com
wrote:

This is the solution
http://stackoverflow.com/questions/26473106/prevent-sessions-for-routes-in-laravel-custom-on-demand-session-handling


Reply to this email directly or view it on GitHub
#726 (comment).

@laravel laravel locked and limited conversation to collaborators Nov 22, 2014

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.