Commit 0e1d8707 authored by Benni Mack's avatar Benni Mack Committed by Daniel Goerz
Browse files

[!!!][TASK] Streamline send-no-cache headers

The public property $sendNoCacheHeaders of
AbstractUserAuthentication is now fully put into
PSR-15 middlewares, which decide on their own
if headers diasallowing HTTP caches should be sent to the client.

This change removes the property, as the PSR-15 middlewares
set the headers already since TYPO3 v10.

Resolves: #93047
Releases: master
Change-Id: I242d972c1a37a0642be19522f321e3f0ee88935d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67082


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Tested-by: Daniel Goerz's avatarDaniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Daniel Goerz's avatarDaniel Goerz <daniel.goerz@posteo.de>
parent 35d462e9
......@@ -156,12 +156,6 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
*/
public $writeAttemptLog = false;
/**
* Send no-cache headers
* @var bool
*/
public $sendNoCacheHeaders = true;
/**
* If set, the user-record must be stored at the page defined by $checkPid_value
* @var bool
......
.. include:: ../../Includes.txt
====================================================================================
Breaking: #93047 - Removed property sendNoCacheHeaders in AbstractUserAuthentication
====================================================================================
See :issue:`93047`
Description
===========
The public property `sendNoCacheHeaders` of AbstractUserAuthentication which was
set to default, but disabled in Frontend User objects, ensured that appropriate
HTTP headers telling the client that this HTTP request is not allowed to be
cached by the client.
This property is removed, as this is now built into PSR-15 middlewares for
Backend Users (both Frontend and Backend) since TYPO3 v10.
Impact
======
Setting the property `sendNoCacheHeaders` has no effect anymore.
Affected Installations
======================
TYPO3 installations with custom extensions dealing with session
handling, using this property, which is very unlikely.
Migration
=========
Use a PSR-15 middleware to set headers depending on your needs,
if TYPO3's default header evaluation does not fit your needs
in Frontend Requests.
.. index:: Backend, Frontend, PHP-API, FullyScanned, ext:frontend
......@@ -159,12 +159,6 @@ class FrontendUserAuthentication extends AbstractUserAuthentication
*/
public $dontSetCookie = true;
/**
* Send no-cache headers (disabled by default, if no fixed session is there)
* @var bool
*/
public $sendNoCacheHeaders = false;
public function __construct()
{
$this->name = self::getCookieName();
......
......@@ -77,9 +77,6 @@ class FrontendUserAuthenticator implements MiddlewareInterface
if ($frontendUser instanceof FrontendUserAuthentication) {
$frontendUser->storeSessionData();
$response = $frontendUser->appendCookieToResponse($response);
if ($frontendUser->sendNoCacheHeaders) {
$response = $this->applyHeadersToResponse($response);
}
// Collect garbage in Frontend requests, which aren't fully cacheable (e.g. with cookies)
if ($response->hasHeader('Set-Cookie')) {
$this->sessionGarbageCollection();
......@@ -96,27 +93,4 @@ class FrontendUserAuthenticator implements MiddlewareInterface
{
UserSessionManager::create('FE')->collectGarbage();
}
/**
* Adding headers to the response to avoid caching on the client side.
* These headers will override any previous headers of these names sent.
* Get the http headers to be sent if an authenticated user is available,
* in order to disallow browsers to store the response on the client side.
*
* @param ResponseInterface $response
* @return ResponseInterface the modified response object.
*/
protected function applyHeadersToResponse(ResponseInterface $response): ResponseInterface
{
$headers = [
'Expires' => 0,
'Last-Modified' => gmdate('D, d M Y H:i:s') . ' GMT',
'Cache-Control' => 'no-cache, must-revalidate',
'Pragma' => 'no-cache'
];
foreach ($headers as $headerName => $headerValue) {
$response = $response->withHeader($headerName, (string)$headerValue);
}
return $response;
}
}
......@@ -770,4 +770,19 @@ return [
'Breaking-93023-ReworkedSessionHandling.rst',
],
],
'TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->sendNoCacheHeaders' => [
'restFiles' => [
'Breaking-93047-RemovedPropertySendNoCacheHeadersInAbstractUserAuthentication.rst',
],
],
'TYPO3\CMS\Core\Authentication\BackendUserAuthentication->sendNoCacheHeaders' => [
'restFiles' => [
'Breaking-93047-RemovedPropertySendNoCacheHeadersInAbstractUserAuthentication.rst',
],
],
'TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication->sendNoCacheHeaders' => [
'restFiles' => [
'Breaking-93047-RemovedPropertySendNoCacheHeadersInAbstractUserAuthentication.rst',
],
],
];
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment