search

statamic / cms

The core Laravel CMS Composer package
https://statamic.com
Other
3.88k stars 520 forks source link

Session start/cookies not needed for all visitors #10745

Closed 925dk closed 1 month ago

925dk commented 1 month ago

Bug description

Seems laravel_session and XSRF-TOKEN cookies are always set on front-end (for all users). Which I guess means a server side session is always created.

I don't need (or want) any session/state for regular site visitors.

For performance + no need to put cookies when not actually needed (privacy/cookie policy/politeness) + play nicely with any reverse proxy/cache etc.

Of course for cp/signed-in users, things can/should continue to function as-is. This is about normal visitors to the site/front-end.

So I suggest by-pass the session start/cookie stuff for regular site visitors as the default. Or if that is a breaking change, have a config option to disable it.

How to reproduce

Visit a Statamic site in a private tab. See cookies are placed.

Logs

No response

Environment

Environment
Application Name: xxx
Laravel Version: 11.21.0
PHP Version: 8.2.21
Composer Version: 2.5.8
Environment: production
Debug Mode: OFF
URL: dev.xxx.com
Maintenance Mode: OFF
Timezone: UTC
Locale: en

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: null
Cache: file
Database: sqlite
Logs: stack / single
Mail: sendmail
Queue: sync
Session: file

Statamic
Addons: 0
Sites: 2 (xxx (en), xxx (da))
Stache Watcher: Disabled
Static Caching: half
Version: 5.23.0 PRO

Installation

Fresh statamic/statamic site via CLI

Additional details

No response

925dk commented 1 month ago

My current workaround:

diff --git a/bootstrap/app.php b/bootstrap/app.php
index 7b162da..c29cba6 100644
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@@ -11,7 +11,11 @@
         health: '/up',
     )
     ->withMiddleware(function (Middleware $middleware) {
-        //
+        $middleware->removeFromGroup('web', [
+            \Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class,
+            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
+            \Illuminate\Session\Middleware\StartSession::class
+        ]);
     })
     ->withExceptions(function (Exceptions $exceptions) {
         //
925dk commented 1 month ago

On second thought, maybe not an issue for Statamic to deal with. And the tweak above to the default Laravel web middleware group solves it for me. So closing issue again.