Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: duplicate Cache-Control header with Session #8601

Merged

Conversation

kenjis
Copy link
Member

@kenjis kenjis commented Mar 2, 2024

Description
Fixes #7266

  • remove the default CI4 Cache-Control header before the Session starts.

Before:

HTTP/1.1 200 OK
Host: localhost:8080
Date: Sat, 02 Mar 2024 12:54:18 GMT
Connection: close
X-Powered-By: PHP/7.4.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT             // PHP Session
Cache-Control: no-store, no-cache, must-revalidate // PHP Session
Pragma: no-cache                                   // PHP Session
Cache-Control: no-store, max-age=0, no-cache       // CI4
Content-Type: text/html; charset=UTF-8

After:

HTTP/1.1 200 OK
Host: localhost:8080
Date: Sat, 02 Mar 2024 12:56:08 GMT
Connection: close
X-Powered-By: PHP/7.4.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@kenjis kenjis added the bug Verified issues on the current code behavior or pull requests that will fix them label Mar 2, 2024
Co-authored-by: John Paul E. Balandan, CPA <[email protected]>
@bgeneto
Copy link

bgeneto commented Mar 6, 2024

@kenjis Excuse my ignorance, but wouldn't it be better not to create this 'Cache-Control' header in the first place instead of creating it and removing it afterwards and thus adding a (maybe) unnecessary overhead to the framework? The ResponseTrait has

        $this->removeHeader('Cache-Control');
        $this->setHeader('Cache-Control', ['no-store', 'max-age=0', 'no-cache']);

It seems to me that the first line does not remove anything and the second line is adding the headers we want to remove while using sessions... What do you think?

@kenjis
Copy link
Member Author

kenjis commented Mar 6, 2024

I don't know why, but the behavior is intentional. It is not a bug.

By default, all response objects sent through CodeIgniter have HTTP caching turned off. The options and exact circumstances are too varied for us to be able to create a good default other than turning it off.
https://codeigniter4.github.io/CodeIgniter4/outgoing/response.html#http-caching

So we cannot change it as a bug fix.

Do you propose to remove the default cache control header?
If so, it is a breaking change and not allowed in develop branch.

public function noCache()
{
$this->removeHeader('Cache-Control');
$this->setHeader('Cache-Control', ['no-store', 'max-age=0', 'no-cache']);
return $this;
}

It seems to me that the first line does not remove anything and the second line is adding the headers we want to remove while using sessions...

It is the code in the public noCache() method. Devs can call it from somewhere.
So we cannot remove the first line. Because the cache control header may be set already.

What do you think?

I think it is better to remove the default cache control header. That is, to remove these lines:

// Default to a non-caching page.
// Also ensures that a Cache-control header exists.
$this->noCache();

Because I think it is better that devs have full control to cache control header, and it is simpler.
But it is a breaking change, so we need more consideration, and need to do it in 4.5 branch, if we do it.

@kenjis kenjis merged commit bcb88b4 into codeigniter4:develop Mar 9, 2024
62 checks passed
@kenjis kenjis deleted the fix-duplicate-cache-control-header branch March 9, 2024 23:37
@vikaskhunteta
Copy link

@kenjis The issue here is marked as fixed but I am still getting duplicate header when the session enabled globally and I have been trying to cache response of an API request, if I call this function session_cache_limiter(''); before the session start into initController inside BaseController then I am getting same error like this user comment

#7266 (comment)

image

Should I extend different controller for the API requests which doesn't start the session? What should be the HTTP response code if the request cached? I believe it should be 304 Not Modified but when I stopped session globally and cached the request I am always getting 200 OK response.

Framework version - 4.5.3
PHP Version - 8.2.12
OS - Windows 11 Home

@kenjis
Copy link
Member Author

kenjis commented Jul 12, 2024

@vikaskhunteta What do you mean by "when the session enabled globally"?

Read the code: https://github.com/codeigniter4/CodeIgniter4/pull/8601/files
That's what this PR does.

@vikaskhunteta
Copy link

@kenjis I mean I have enabled the session through BaseController and using Authentication Shield framework as well.

You can clearly see in the previous comment screenshot that I have been getting two Cache-Control headers when I tried to cache the JSON response. I would like to avoid database request until the data modified.

@kenjis
Copy link
Member Author

kenjis commented Jul 12, 2024

If you use Shield, Shield may enable Session before your controller.
Check where the Session is initialized, and configure before it.

@vikaskhunteta
Copy link

@kenjis But there should be no session enable before the login, btw where should I look this? Is there any impact on the headers due to site environment?

@kenjis
Copy link
Member Author

kenjis commented Jul 12, 2024

We use GitHub issues to track BUGS and to track approved DEVELOPMENT work packages. We use our forum to provide SUPPORT and to discuss FEATURE REQUESTS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Verified issues on the current code behavior or pull requests that will fix them
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bug: Duplicate Response Headers
6 participants