Set-cookie header being cached

[EdBailey]

In my testing I've found that set-cookie headers are getting cached by caddy. This is obviously a big problem for us and I've not been able to see any cache-handler config or ways to work around it in the caddy config.

Obviously in an ideal world we wouldn't be sending set-cookie headers on cacheable pages, but I'm working on a legacy platform and it's not going to be possible to change that behaviour in the short term, so I need caddy to handle it. We've been using caching in nginx for some time and not had this problem with nginx.

My preferred behaviour here would be that the initial cache-miss request would send the set-cookie headers, but it wouldn't be stored in the cache so future cache-hits would not receive it.

I'd really appreciate any help with this!

[darkweak]

Hey @EdBailey nice edge case, I'll put it on top of my todo list.

[EdBailey]

Thanks @darkweak!

[punkpeye]

yikes same issue here. subscribing

also, related https://github.com/caddyserver/cache-handler/issues/126

[punkpeye]

Just in case useful for others, this is what I did in Fastify:

app.addHook('onSend', (request, reply, payload, done) => {
  if (
    reply.hasHeader('set-cookie') ||
    request.headers['cookie']?.includes('user_account')
  ) {
    reply.header('cache-control', 'private');
  }

  done(null, payload);
});

[darkweak]

e.g. With the Caddyfile only

{
	cache {
		ttl 5s
	}
}
localhost:9080 {
	route /cache-set-cookie {
		cache
		reverse_proxy localhost:9087 {
			header_down +Cache-Control no-cache=Set-Cookie
		}
	}
}

[EdBailey]

@darkweak I was just wondering if there's been any progress on this? Setting Cache-Control no-cache=Set-Cookie seemed to make it revalidate every request, making the cache functionally useless unfortunately, unless I've really misunderstood something. Thanks!

[darkweak]

@EdBailey You can try with the latest version of Souin (v1.7.8).