We are experimenting with caching and we are going to strip away the cookies for most requests.
We are currently exempting the UserContext eg Cart data, API calls and MyPages and the backend from this cookie strip is there some other part of litium that uses the session information that we need to know about? Do we need to handle __RequestVerificationToken on regular pages like aswell?
Everything that is using the target group or price calculations is needing the session. The __RequestVerificationToken is used to verifying postbacks and the http-requests by javascript to verify that the sender is valid for that request (to avoid XSS), so when the page is rendered the cookie will be set together with the data that will be passed to the server with either a form-field or the http-header. I haven’t experiment with stripping of the cookie header so I can’t give any recommendation about if it should or shouldn’t work.