fix: duplicate Cache-Control header with Session

[kenjis]

Description
Fixes #7266

• remove the default CI4 Cache-Control header before the Session starts.

Before:

HTTP/1.1 200 OK
Host: localhost:8080
Date: Sat, 02 Mar 2024 12:54:18 GMT
Connection: close
X-Powered-By: PHP/7.4.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT             // PHP Session
Cache-Control: no-store, no-cache, must-revalidate // PHP Session
Pragma: no-cache                                   // PHP Session
Cache-Control: no-store, max-age=0, no-cache       // CI4
Content-Type: text/html; charset=UTF-8

After:

HTTP/1.1 200 OK
Host: localhost:8080
Date: Sat, 02 Mar 2024 12:56:08 GMT
Connection: close
X-Powered-By: PHP/7.4.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

Checklist:

• Securely signed commits
• Component(s) with PHPDoc blocks, only if necessary or adds value
• Unit testing, with >80% coverage
• User guide updated
• Conforms to style guide

[bgeneto]

@kenjis Excuse my ignorance, but wouldn't it be better not to create this 'Cache-Control' header in the first place instead of creating it and removing it afterwards and thus adding a (maybe) unnecessary overhead to the framework? The ResponseTrait has

        $this->removeHeader('Cache-Control');
        $this->setHeader('Cache-Control', ['no-store', 'max-age=0', 'no-cache']);

It seems to me that the first line does not remove anything and the second line is adding the headers we want to remove while using sessions... What do you think?

[kenjis]

I don't know why, but the behavior is intentional. It is not a bug.

By default, all response objects sent through CodeIgniter have HTTP caching turned off. The options and exact circumstances are too varied for us to be able to create a good default other than turning it off.
https://codeigniter4.github.io/CodeIgniter4/outgoing/response.html#http-caching

So we cannot change it as a bug fix.

Do you propose to remove the default cache control header?
If so, it is a breaking change and not allowed in develop branch.

CodeIgniter4/system/HTTP/ResponseTrait.php

Lines 344 to 350 in a99787c

	public function noCache()
	{
	$this->removeHeader('Cache-Control');
	$this->setHeader('Cache-Control', ['no-store', 'max-age=0', 'no-cache']);
	return $this;
	}

It seems to me that the first line does not remove anything and the second line is adding the headers we want to remove while using sessions...

It is the code in the public noCache() method. Devs can call it from somewhere.
So we cannot remove the first line. Because the cache control header may be set already.

What do you think?

I think it is better to remove the default cache control header. That is, to remove these lines:

CodeIgniter4/system/HTTP/Response.php

Lines 152 to 154 in a99787c

	// Default to a non-caching page.
	// Also ensures that a Cache-control header exists.
	$this->noCache();

Because I think it is better that devs have full control to cache control header, and it is simpler.
But it is a breaking change, so we need more consideration, and need to do it in 4.5 branch, if we do it.

[vikaskhunteta]

@kenjis The issue here is marked as fixed but I am still getting duplicate header when the session enabled globally and I have been trying to cache response of an API request, if I call this function session_cache_limiter(''); before the session start into initController inside BaseController then I am getting same error like this user comment

#7266 (comment)

Should I extend different controller for the API requests which doesn't start the session? What should be the HTTP response code if the request cached? I believe it should be 304 Not Modified but when I stopped session globally and cached the request I am always getting 200 OK response.

Framework version - 4.5.3
PHP Version - 8.2.12
OS - Windows 11 Home

[kenjis]

@vikaskhunteta What do you mean by "when the session enabled globally"?

Read the code: https://github.com/codeigniter4/CodeIgniter4/pull/8601/files
That's what this PR does.

[vikaskhunteta]

@kenjis I mean I have enabled the session through BaseController and using Authentication Shield framework as well.

You can clearly see in the previous comment screenshot that I have been getting two Cache-Control headers when I tried to cache the JSON response. I would like to avoid database request until the data modified.

[kenjis]

If you use Shield, Shield may enable Session before your controller.
Check where the Session is initialized, and configure before it.

[vikaskhunteta]

@kenjis But there should be no session enable before the login, btw where should I look this? Is there any impact on the headers due to site environment?

[kenjis]

We use GitHub issues to track BUGS and to track approved DEVELOPMENT work packages. We use our forum to provide SUPPORT and to discuss FEATURE REQUESTS.