Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

mbo's avatar
mbo
OP
2 years ago
Level 3

Excluding cookie setting by Laraval

Good day,

Ik try to do the following:

  • upload image
  • crop image at the moment the image is called
  • cache the image with cloudflare

The first two work. But cloudflare is not caching my images (bypass). I think this has to do with the fact that Laravel places cookies by passing my middleware.

What do i want to do: cleare my image routes from the middleware who places these cookies.

What have i done:


use App\Http\Middleware\VerifyCsrfToken;

Route::withoutMiddleware([VerifyCsrfToken::class])->group(function () {
Route::get('/img/{path}', [Controllers\ImageController::class, 'show'])->where('path', '.*');

});

This works: it clears XSRF cookie setting

No i want to do the same for the session cookie:


use App\Http\Middleware\VerifyCsrfToken;
use Illuminate\Session\Middleware\StartSession;

Route::withoutMiddleware([VerifyCsrfToken::class, StartSession::class])->group(function () {Route::get('/img/{path}', [Controllers\ImageController::class, 'show'])->where('path', '.*');

});

But this does not work. It breaks the showing of the images.

error in network:

GET
Status Code:
500 Internal Server Error

Questions i have:

  • what have i done wrong?
  • How to solve this?
  • or, how to debug this?

thanks in advance

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

It seems like you are on the right track by trying to exclude certain middleware for your image routes to prevent Laravel from setting cookies, which Cloudflare might be using to determine not to cache the content. However, removing the StartSession middleware can lead to issues if your application or any other middleware still relies on the session being available.

Here are a few steps and considerations to help you solve the issue:

1. Debugging the 500 Internal Server Error

To understand what's causing the 500 error, you should first look at the Laravel logs. You can find these in storage/logs/laravel.log. This file will contain more detailed information about the error which can help you pinpoint the issue.

2. Ensuring No Other Middleware Requires Session

If you remove the StartSession middleware, ensure that no other middleware or part of your application relies on the session being started. This includes your own middleware, third-party packages, or even views that might access session data.

3. Alternative Approach: Modify Response to Remove Set-Cookie Headers

Instead of removing the session middleware entirely, you could modify the response to strip out any Set-Cookie headers for your image routes. This can be done by creating a middleware that modifies the response before it's sent to the client.

Here’s how you can create and apply such a middleware:

Create Middleware

php artisan make:middleware RemoveCookieHeaders

Middleware Implementation

Edit the created middleware file, typically found in app/Http/Middleware/RemoveCookieHeaders.php:

namespace App\Http\Middleware;

use Closure;

class RemoveCookieHeaders
{
    public function handle($request, Closure $next)
    {
        $response = $next($request);

        // Remove Set-Cookie headers
        $response->headers->remove('Set-Cookie');

        return $response;
    }
}

Register Middleware

Register your new middleware in app/Http/Kernel.php under the $routeMiddleware array:

protected $routeMiddleware = [
    // other middleware
    'removeCookies' => \App\Http\Middleware\RemoveCookieHeaders::class,
];

Use Middleware in Routes

Apply this middleware to your image routes:

Route::middleware(['removeCookies'])->get('/img/{path}', [Controllers\ImageController::class, 'show'])->where('path', '.*');

4. Test Your Changes

After implementing the above changes, make sure to thoroughly test your image routes to ensure that they work as expected and that the Set-Cookie headers are indeed removed.

Conclusion

By using this approach, you keep the session middleware intact for other parts of your application that might need it, while effectively preventing cookies from being set on responses for specific routes, which should help with Cloudflare caching issues.

Please or to participate in this conversation.