02/17/2020, 11:06 AM
I found a bug (not really a bug, but maybe an "undesirable feature"?): If you are using sessions with cookies, ktor will always send a
header on static files, even if the session wasn't changed. While this isn't a super huge issue, it also sends the
header for assets (like css, js, etc) and that breaks Cloudflare's cache (it always bypasses the cache)


02/17/2020, 11:12 AM
Isnt the latter more of a routing setup issue ?


02/17/2020, 11:37 AM
@spand that's what I thought, that maybe somewhere the session is retrieved/updated and that's why ktor is updating the cookie. But even after adding logs to when the session is retrieved (my website only retrieves the user session via a extension method I created) the cookie is always set even if I don't retrieve the session in the route
Also forgot to mention that this affects static files, that's why I said it was a bug.
I decided to figure the issue out and it looks like ktor always resends the
header if the client sends the
header too.
I tried directly requesting ktor's server with curl (only setting the
header) and the server still always resends the cookie with
. The file (
) is served via the static content routing feature. I think that's a bug but maybe I'm doing something wrong
The curl comment I sent was (don't worry, I already revoked the access/refresh token):
curl -i '<>' -H 'Cookie: SESSION_FEATURE_SESSION=cachedIdentification%3D%2523s%257B%2522id%2522%253A%2522123170274651668480%2522%252C%2522username%2522%253A%2522MrPowerGamerBR%2522%252C%2522discriminator%2522%253A%25224185%2522%257D%26storedDiscordAuthTokens%3D%2523s%257B%2522clientId%2522%253A%2522395935916952256523%2522%252C%2522clientSecret%2522%253A%2522Ejm3LsFOYNxDrlSdcr%2DPPU9D41ZI%2D%5FJf%2522%252C%2522authCode%2522%253A%2522ZB3HUlc3XQYz1vIOo2wwmiYucD4Zxw%2522%252C%2522redirectUri%2522%253A%2522https%253A%252F%252Fcanary%2Eloritta%2Ewebsite%252Fdashboard%2522%252C%2522scope%2522%253A%255B%2522identify%2522%252C%2522guilds%2522%252C%2522email%2522%252C%2522guilds%2Ejoin%2522%255D%252C%2522accessToken%2522%253A%25226DW7BYPCrunLDzinD8rR8ooNJVQt9D%2522%252C%2522refreshToken%2522%253A%25229fwJmeWwvf2JoEW8ibEpQvs1VrScMq%2522%252C%2522expiresIn%2522%253A604800%252C%2522generatedAt%2522%253A1581702568020%257D%2F3c857f5ebec61f6a68a01e0cd9fd8e729d6b75b2045ed3a8cf28a1fd304263cf' | less
As you can see it is just resending the exact same cookie with the same hash for static files.
After looking into it, it seems that's the intended behavior: When the client sends a cookie, ktor loads the session and, before sending, if there is a session present, it resends the Set-Cookie. It would be nice if it had an option to ignore setting cookies based on content-type/routes/etc