-
-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[HttpCache] Caches cookies by default #28305
Comments
I agree. That is probably why Varnish never caches requests with a |
I think it makes sense to have the same defaults as Varnish. Would you like to submit a PR against master? (don't forget to put a note in the UPGRADING files) |
You are explicitly setting your response to be a shared one. IMO you need to think carefully about your use case before you do that. For the same reason, One case where Side note: Does the Update to clarify the use case: You might have a cookie like |
The more I think about this, the more I agree with @mpdude that if you explicitly set a response with cookies to public you should be aware of the consequences and If we don't cache responses with cookies we might as well remove all code concering cookies from Adding it as a kind of safe guard option might make sense, but I'm not sure it's needed. I tend to think it's not. |
Yes it does. So how do we continue here. I can see that having the |
IMO you cannot magically tell which cookie is a session cookie and which one is not (not all session cookies need to be managed by Symfony?). I'd guess it comes down to education and raising awareness for the problem? Maybe update the docs with some helpful hints? |
Closing as it seems this has been resolved as "nothing to fix". |
Symfony version(s) affected: all
Description
HttpCache
currently caches responses with cookies by default. This is not wrong as per HTTP specification, responses withSet-Cookie
headers are allowed to be cached. However, in most cases we use cookies to identify with a single person only so I guess it's fairly safe to say that the vast majority of developers would expect that cookies can safely contain any user-specific data and it won't be shared no matter theCache-Control: public
andmax-age
ors-maxage
set on the response.HttpCache
, however, currently caches a response when the caching headers are set no matter if there are cookies or not. In my opinion, this is a dangerous default setting.Also given the fact that Symfony ensures a response becomes
private
automatically when the session is started. This feels inconsistent to me because the session is essentially just a cookie too. I don't see why this should be handled differently for other cookies but I'm happy to hear about the use cases.How to reproduce
composer create-project symfony/skeleton .
public/index.php
like so:$kernel = new Kernel($env, $debug); +$kernel = new \Symfony\Bundle\FrameworkBundle\HttpCache\HttpCache($kernel, $kernel->getCacheDir() . '/http_cache');
src/Controller/CacheAction.php
:config/routes.yaml
as follows:php -S 127.0.0.1:8000 -t public
http://127.0.0.1:8000/cache
var/cache/<dev|prod>/http_cache
and see that the cookie is stored alongside the other information and will be shared with any other request.Possible Solution
I think
HttpCache
should not cache any response if it contains cookies by default. This should be a sane default behaviour.Additional context
Nothing really, just wanted to take the opportunity to say thank you to all the people involved in Symfony Flex. Look at how easy it was to create a full application to set up a case for other people to reproduce! 😄 ❤️
/cc @leofeyer @aschempp
The text was updated successfully, but these errors were encountered: