Set-Cookie header bypass caches

[RonanOFM]

With cookie-based authentication, the header Set-Cookie is in the response headers on every SSR pages.
Set-Cookie auth.strategy=laravelSanctum; Path=/

Even pages that don't need authentication.

Why is it a problem ?

Because this header Set-Cookie is special, it bypass all caches, like Nginx cache or Varnish cache (doc links below).
Consequences are higher response time and it's quite bad for SEO.

Is it possible to add a config option for disable header Set-Cookie on SSR pages only ?

Docs :
Nginx : https://www.nginx.com/blog/nginx-caching-guide/
Varnish : https://varnish-cache.org/docs/3.0/tutorial/cookies.html

And thanks for this module 👍

[bmulholland]

Deciding whether cookies allow a cache bypass is the responsibility of your cache configuration, not, say, the auth module. You should be able to set it up there.

[fogine]

Deciding whether cookies allow a cache bypass is the responsibility of your cache configuration, not, say, the auth module. You should be able to set it up there.

Can we get back to this? While its the responsibility of the cache configuration to decide whether cookies allow a bypass cache. In this case, the issue seems like the auth module sets the following cookie for every response even if there is no user to authenticate. It should set auth strategy cookie once along the auth._token.local cookie value. Can you elaborate? @bmulholland Is there a specific reason why the auth.strategy cookie headers is set with every request response?

Set-Cookie: auth.strategy=local; Path=/

(I'm using local strategy).

[bmulholland]

Feel free to log an issue for "cookie should not be set if the user isn't logged in" -- that's a separate issue from this one