Unable to set Cache headers from Controller.

Question

Unable to set Cache headers from Controller.

yani opened this issue a year ago · comments

I'm unable to define my own cache headers. My controller outputs static images and the SessionCacheControlMiddleware overwrites them.

I tried creating a new Response using a ResponseFactory. But the headers are set after the request is handled.

I tried getting the Manager object and closing the Session from within my Controller:

$manager = $request->getAttribute('sessionManager')
$manager->abort();
// also tried $manager->write_close();

But the status() methods keeps returning \PHP_SESSION_ACTIVE.

I can see that aborting/closing the session does not set the Manager's current_session property to null, which is what status() checks for.

Is there a way to define custom cache headers, or should this be changed/fixed?
(I'd also rather not divert from PSR-7 by discarding the Response and outputting the file and its headers directly.)

Jonathon Hill · Answer 1 · Thu Mar 02 2023 21:13:31 GMT+0800 (China Standard Time)

The purpose of SessionCacheControlMiddleware is to ensure that requests to protected (authenticated) endpoints are NOT cached by the browser outside of the session.

If the images your controller serves should only be accessible to authenticated users, then you should not attempt to set caching headers at all, and let the middleware do its thing.

If the images are meant to be public, you are better off serving them from a static file server instead of from a controller. If you are using the common nginx + php-fpm setup, serve the files from nginx without going through PHP.

If that isn't an option, and you must serve them through PHP, then you will need to separate your route for this controller and NOT use the SessionCacheControlMiddleware on that particular route.

Jonathon Hill · Answer 2 · Thu Mar 02 2023 21:15:19 GMT+0800 (China Standard Time)

@yani does that help?

Yani · Answer 3 · Fri Mar 03 2023 15:36:21 GMT+0800 (China Standard Time)

Well. It's a fallback route and I already have the nginx configuration noted down. The project is opensource and I wanted to make everything foolproof so other developers can easily get started.

I fully understand why HTML content is forced to not be cached. (I'm using Cloudflare so it's definitely important). I just find it weird that there's no option to turn it off. Could it be a good function to add? Maybe making $manager->abort() also set the currentSession property to null instead of only calling close() on the session? Or maybe even a new method.

Oh and disabling SessionCacheControlMiddleware for those particular routes would be a pain as I just use the included Slim middleware functionality.