Browser cache control for logged in users

karleq · 2014-11-06 14:17:59 UTC

Hi,

I've got an issue where logged in users are seeing browser/squid cached versions of pages they have visited before logging in.

Not sure if it is squid or browser - but clearing browser cache lets the fresh page load.

Is there a way to either:

1. Force logged in users to request the latest version of the page

2. Force logged in users to bypass Squid (which should call the fresh version of the page)

I can hack around the issue by tagging a query string to urls using javascript for logged in users which would pull through a fresh version of the page for their logged in session - but I'd rather not.

Any thoughts?

Thanks

Karl

aleks · 2014-11-06 16:38:09 UTC

There are multiple ways to approach this, and it really really depends on your site architecture and how your users use your website.

It's really a rabbit hole you are about to fall into it.

First determine if they're seeing a browser cached version of the page or a squid cached version after logging in.

karleq · 2014-11-06 17:15:46 UTC

Hi Aleks,

You mean there's no simple answer!

Is there an easy way to tell if it's squid or browser cache?

I'm leaning towards squid.

If I login and then clear browser data - it still shows the logged out pages.

Karl

dschoen · 2014-11-06 21:16:34 UTC

It's normal for Squid to cache pages in this scenario, Squid ignores cookies when checking cache objects (and fortunately strips them when storing them!) so it doesn't care whether a user is logged in or not, so when you hit the same URL Squid doesn't know that the user is logged in so is happy to just return the cached object (which is cached by URL not URL + login).

The best option is generally to have a specific logged in area if possible, or if that's genuinely not possible, turn off Squid cache (if you can wear the performance loss for public users).

There are much more complex solutions involving detecting the authentication at the accelerator (Squid in this case) so that you can behave differently at that layer and end up passing the request on - I've only seen this done in the wild with relatively custom Varnish configs though.

karleq · 2014-11-07 09:07:24 UTC

Thanks David / Aleks,

Turning Squid off is not really an option - performance loss is just too great.

Separate logged in area not possible either as logged in users have slightly different content across the site compared to public users (IE: the same pages - just with slight differences if you are logged in)

So I reckon I have 3 options and would value your opinion.

1. Figure out some way to add a query string to logged in page urls

So public see www.mysite.com - and logged in users see www.mysite.com?login=yes (or user=123456 or whatever dynamic variable I wish if logged in pages need to be cached to a specific user)

2. Shift logged in users to https

So public see http://www.mysite.comand logged in users are at https://www.mysite.com

Does Squid cache https pages?

3. Add a new domain onto the whole system.

So public see http://www.mysite.comand logged in users are switched to http://login.mysite.com

Thanks David

dschoen · 2014-11-09 21:21:47 UTC

2 and 3 are roughly what I wanted to imply by saying separate logged in area :) and will be your simplest option with Squid.

Squid will cache HTTPS if Matrix tells it to, but Matrix won't by default.

karleq · 2014-11-17 14:20:13 UTC

Thanks David, Aleks - your comments are appreciated.

Karl