Support the ongoing development of →
Laravel Session Cache

To remove the Set-Cookie headers, specifically XSRF and laravel_session, in Laravel v11, you need to make sure these middlewares are effectively bypassed or customized to not set cookies. Here are some steps you can try:

1. Custom Middleware

Create a custom middleware to remove the Set-Cookie headers from the response.

  1. Create a Middleware:

    php artisan make:middleware RemoveCookies
  2. Implement the Middleware Logic: In app/Http/Middleware/RemoveCookies.php, update the handle method to remove the Set-Cookie headers:

    namespace App\Http\Middleware;
    use Closure;
    use Illuminate\Http\Request;
    class RemoveCookies
         * Handle an incoming request.
         * @param  \Illuminate\Http\Request  $request
         * @param  \Closure  $next
         * @return mixed
        public function handle(Request $request, Closure $next)
            $response = $next($request);
            // Remove 'Set-Cookie' headers
            return $response;
  3. Register the Middleware: Add the middleware to the global middleware stack in app/Http/Kernel.php:

    protected $middleware = [
        // Other global middlewares

2. Adjust Session and CSRF Settings

Disable sessions and CSRF if they are not needed for your use case:

  1. Disable Session Middleware: Remove or comment out \Illuminate\Session\Middleware\StartSession::class from the web middleware group in app/Http/Kernel.php:

    protected $middlewareGroups = [
        'web' => [
            // \Illuminate\Session\Middleware\StartSession::class,
            // Other middlewares...
  2. Disable CSRF Middleware: If CSRF protection is not necessary, you can disable it by commenting out \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class from the web middleware group in app/Http/Kernel.php:

    protected $middlewareGroups = [
        'web' => [
            // \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class,
            // Other middlewares...

3. Handling Exceptions

If you encounter the "Session store not set on request" exception, ensure that your application does not require session handling. If it does, you may need to refactor your app to work without sessions or find a way to conditionally disable session handling only for specific routes.

4. Configure Cache and CDN

Make sure your CDN and caching layers are properly configured to cache responses even after you have removed the Set-Cookie headers.

By following these steps, you should be able to remove the Set-Cookie headers and ensure your application responses are fully cached by the CDN.


Hey @mohamedhekal,

Thank you for the detailed response.

  1. the app/Http/Kernel.php doesn't exist anymore in 11.x, thus, I can't just remove the Session middleware (that's my main issue).

  2. I've already tried the custom middleware, and I've ended with a different issue. Now I'm getting every time:

Set-Cookie: laravel_session=deleted; expires=Sun, 09 Jul 2023 19:26:50 GMT; Max-Age=0; path=/; httponly; samesite=lax

This is an issue as laravel sends "deleted" instead of not sending anything at all, which defies the rules of caching anyhow.

It did work well in Laravel 8/9, so I think it's a logic issue in L11. Perhaps a ticket is in order.



You could create a route group for all of your static routes. Here I've boostraped a route group called "static" that is configure to use a longer cache and doesn't set any cookies. Using this setup you would define your static routes in routes/static.php.

// boostrap/app.php

return Application::configure(basePath: dirname(__DIR__))
        web: __DIR__.'/../routes/web.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
        then: function () {
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->group('static', [
    ->withExceptions(function (Exceptions $exceptions) {

Sign in to participate in this thread!


Your banner here too?

ikanc ikanc Joined 25 May 2015


We'd like to thank these amazing companies for supporting us

Your logo here?

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 - All rights reserved.