Page Cache Output Includes Cached Headers and Cookies

Follow

Applies To:

Zend Server

Page Caching

Problematic Scenario

When creating Page (URL) Caching rules to speed up output of recurring web pages across your web application, there are 2 kinds of elements being cached - Headers and Body.

When a script generates HTTP response headers, for example, setting a cookie for the browser, and the URL for hitting the script gets cached by a compatible Page Caching Rule, it will record the set-cookie header into the cached object, along with the Body of the output (the HTML).

As soon as the next request comes and hit the caching rule, a valid cached object (with the set-cookie header) will be sent to the HTTP client.

As a result, there might be a situation where a cookie is modified in the browser by cached version of a Request URL, overriding old value which is expected for business logic (or user specific data) on other scripts running dynamically (not cached).

This can break the Browser <---> Server user related logic and assimilate one user for many, so any user getting the cached output will be identified as the original user who cached the URL.

Technical

Take, for example, this site flow:

1 - You visit login.php, successfully log into the system, getting a valid cookie named 'client' with value '123';

2 - You then browse the website until you hit a cached URL, which updates your 'client' cookie in order to refresh its lifetime (so you don't get thrown off the website once the cookie expires).

3. You continue to surf the website, while another visitor logs into the website and gets 'client' cookie with value '456'.

4. The other visitor surfs on and comes to the same cached URL you have visited in point 2.

From this point on, the other visitor gets a set-cookie from the page, overriding his own 'client' which was '456' with your generated cached value '123', which might also make his version of the website on dynamic pages look the same as your version, and even have the same user details and shopping cart items.

Workaround

There is a simple way to avoid this, which is to be careful which script updates headers (and cookies).

If URLs are being actively cached to speed up your site content, insert logic to avoid setting any cookie or headers so it is not recorded in cached script output headers.

Solution

At the moment, we have an open bug on the issue and will resolve this for future versions.

More Information

Start by checking Online Reference for Page Caching in Zend Server, how to work with the feature, what are caching rules, and PHP Configuration and APIs section for configuration tweaks and API calls to clear specific caches from the application itself.

Zend Server Online Reference - Page Caching Concepts

Have more questions? Submit a request

Comments

Powered by Zendesk