To remove the Set-Cookie headers, specifically XSRF and laravel_session, in Laravel v11, you need to make sure these middlewares are effectively bypassed or customized to not set cookies. Here are some steps you can try:
1. Custom Middleware
Create a custom middleware to remove the Set-Cookie headers from the response.
-
Create a Middleware:
php artisan make:middleware RemoveCookies -
Implement the Middleware Logic: In
app/Http/Middleware/RemoveCookies.php, update the handle method to remove theSet-Cookieheaders:namespace App\Http\Middleware; use Closure; use Illuminate\Http\Request; class RemoveCookies { /** * Handle an incoming request. * * @param \Illuminate\Http\Request $request * @param \Closure $next * @return mixed */ public function handle(Request $request, Closure $next) { $response = $next($request); // Remove 'Set-Cookie' headers $response->headers->remove('Set-Cookie'); return $response; } } -
Register the Middleware: Add the middleware to the global middleware stack in
app/Http/Kernel.php:protected $middleware = [ // Other global middlewares \App\Http\Middleware\RemoveCookies::class, ];
2. Adjust Session and CSRF Settings
Disable sessions and CSRF if they are not needed for your use case:
-
Disable Session Middleware: Remove or comment out
\Illuminate\Session\Middleware\StartSession::classfrom thewebmiddleware group inapp/Http/Kernel.php:protected $middlewareGroups = [ 'web' => [ // \Illuminate\Session\Middleware\StartSession::class, // Other middlewares... ], ]; -
Disable CSRF Middleware: If CSRF protection is not necessary, you can disable it by commenting out
\Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::classfrom thewebmiddleware group inapp/Http/Kernel.php:protected $middlewareGroups = [ 'web' => [ // \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class, // Other middlewares... ], ];
3. Handling Exceptions
If you encounter the "Session store not set on request" exception, ensure that your application does not require session handling. If it does, you may need to refactor your app to work without sessions or find a way to conditionally disable session handling only for specific routes.
4. Configure Cache and CDN
Make sure your CDN and caching layers are properly configured to cache responses even after you have removed the Set-Cookie headers.
By following these steps, you should be able to remove the Set-Cookie headers and ensure your application responses are fully cached by the CDN.
Hey @mohamedhekal,
Thank you for the detailed response.
-
the app/Http/Kernel.php doesn't exist anymore in 11.x, thus, I can't just remove the Session middleware (that's my main issue).
-
I've already tried the custom middleware, and I've ended with a different issue. Now I'm getting every time:
Set-Cookie: laravel_session=deleted; expires=Sun, 09 Jul 2023 19:26:50 GMT; Max-Age=0; path=/; httponly; samesite=lax
This is an issue as laravel sends "deleted" instead of not sending anything at all, which defies the rules of caching anyhow.
It did work well in Laravel 8/9, so I think it's a logic issue in L11. Perhaps a ticket is in order.
Thanks!
You could create a route group for all of your static routes. Here I've boostraped a route group called "static" that is configure to use a longer cache and doesn't set any cookies. Using this setup you would define your static routes in routes/static.php.
// boostrap/app.php
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__.'/../routes/web.php',
commands: __DIR__.'/../routes/console.php',
health: '/up',
then: function () {
Route::middleware('static')->group(__DIR__.'/../routes/static.php');
},
)
->withMiddleware(function (Middleware $middleware) {
$middleware->group('static', [
\Illuminate\Http\Middleware\SetCacheHeaders::using('public;max_age=600;stale_while_revalidate=60'),
\Illuminate\Routing\Middleware\SubstituteBindings::class,
]);
})
->withExceptions(function (Exceptions $exceptions) {
//
})->create();
Sign in to participate in this thread!
Laravel
Laravel News
Laracasts
Laravel Podcast