You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Presto, Patrick" <Pa...@qwest.com> on 2010/06/21 16:13:17 UTC
[users@httpd] Caching is serving up the wrong user content to some users who log
in.
We have just started enabling caching on our Apache 2.2.3 Web Server to take advantage of the performance increase. We use Apache as a proxy to our back end Java applications. One of our larger portal applications has had reports of users logging in and getting other users content. We don't have this problem when we disable the cache so we are somehow caching user specific content sometimes. We don't see this with most users in production, and we are unable to replicate this behavior in test or production at this time.
Does anyone have any ideas what could cause this intermittent caching behavior?
I looked at the Change log and found something that could be a possibility, but I don't fully understand this bug.
Under 2.2.12 Changes:
*) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
directive to correctly remove headers before storing them.
[Lars Eilebrecht]
Could it be possible that CacheIgnoreHeaders is sometimes storing a "Set-Cookie" header for content when it shouldn't be? If so, would it be possible that the next request for that content comes with the original requestors cached "Set-Cookie" header and resets the current users Cookie or ID. This could then cause the current user to access the original requestors data since the "Set-Cookie" header might have been accidentally stored in the cache.
If this could be the cause does anyone know how I could prove this in test?
Here is our current caching configuration using mod_expires, mod_cache, and mod_disk_cache. We are disabling some areas of the site that use velocity because we don't want to cache some of the dynamic stuff like sessionVariable property files for example.
Any help is appreciated! Thank you!
<IfModule mod_cache.c>
<IfModule mod_disk_cache.c>
CacheRoot /opt/apache/cache/
CacheEnable disk /
# FORCE caching for all requests (without Cache-Control: no-cache)
# If Last-Modified header is removed you need to set this to ON to cache
CacheIgnoreNoLastMod On
CacheDisable /business/sessionVariableSetup.vm
CacheDisable /business/education/
CacheDisable /business/partners/
CacheDisable /business/consultants/
CacheDisable /business/home/
CacheIgnoreHeaders Set-Cookie Set-Cookie2
</IfModule>
<IfModule mod_expires.c>
# Add expires headers for images, css & js files
ExpiresActive On
ExpiresByType image/gif A28800
ExpiresByType image/jpeg A28800
ExpiresByType image/png A28800
ExpiresByType text/css A28800
ExpiresByType text/javascript A28800
ExpiresByType application/x-javascript A28800
ExpiresByType application/javascript A28800
ExpiresByType application/ecmascript A28800
ExpiresByType image/x-icon A28800
</IfModule>
</IfModule>
Patrick
________________________________
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
[users@httpd] Re: Caching is serving up the wrong user content to some users who
log in.
Posted by Nicholas Sherlock <n....@gmail.com>.
On 22/06/2010 2:13 a.m., Presto, Patrick wrote:
> One of our larger portal applications
> has had reports of users logging in and getting other users content
Your application is not sending Cache-Control: Private as it MUST in
order to avoid caches at any level of the chain from caching your
user-specific content. It's not just your caching server, there are ISPs
that will cache your pages that have no caching directives too, exposing
sessions to other users who use the same ISP. We saw it on our website
until we added the correct directives to block caching.
Cheers,
Nicholas Sherlock
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org