wp-rocket icon indicating copy to clipboard operation
wp-rocket copied to clipboard
verified publisher icon wp-media

User Cache: logged-in cache served to logged-out user

Open webtrainingwheels opened this issue 5 years ago • 19 comments

Describe the bug When User Cache is enabled, it sometimes happens that the logged-in cache file is served after a user logs out. This is because the browser is serving the cache file it has already stored directly with a 304 status code.

It seems to be related to the headers we set in class-cache.php:

https://github.com/wp-media/wp-rocket/blob/92b9036c6a7492d8790e8558ef60c8ce8b721470/inc/classes/Buffer/class-cache.php#L167-L188

https://github.com/wp-media/wp-rocket/blob/92b9036c6a7492d8790e8558ef60c8ce8b721470/inc/classes/Buffer/class-cache.php#L213-L234

We have been able to prevent this by commenting out last-modified in these places which short circuits the process, so that a 304 is not sent and a fresh response is generated from the server, which then serves the correct version of the cache, with a 200.

Temporary workaround

At the moment our only solution is modifying core files, which is not satisfactory. Specifically, comment out lines 168 and 214 (to disable the last-modified header)

It seems we need to not send last-modified/304 headers when User Cache is enabled. Or, @piotrbak has suggested no-store headers instead.

Cases

  • https://secure.helpscout.net/conversation/1293546841/197830?folderId=377611#thread-3844511238 (ultimate member)
  • https://secure.helpscout.net/conversation/1321194832/206056/ (Peters login redirect, AJAX Login and Registration modal popup + inline form, Logout clear cookies)
  • https://secure.helpscout.net/conversation/858755376/108770/ - (Register / Login / Edit Profile with Forms provided by the NinjaForms User Management Plugin/Addon)
  • https://secure.helpscout.net/conversation/1249856223/185622/ (using custom login urls)
  • https://secure.helpscout.net/conversation/1133534438/157157?folderId=1061330 (using custom login urls)

Possible cases:

  • https://secure.helpscout.net/conversation/1222209904/179715/
  • https://secure.helpscout.net/conversation/1319408142/205468/

I think there are likely more because until recently we weren't really investigating each case, assuming instead it was related to an incompatible menu plugin or similar.

To Reproduce Hard to replicate, we haven't yet identified the specific conditions. I have observed this behaviour from time-to-time on my own test sites, but cannot reproduce it at-will.

In this ticket there is a site on Stagecoach where the problem can be reproduced

In the cases where it happens consistently these are the steps:

  1. Make sure you are NOT using Incognito, make sure "disable cache" is NOT checked in your browser.
  2. Login, visit homepage, make sure it's cached in your browser
  3. Log out
  4. When you are returned to the homepage, you will have the logged-in cache (you can check the timestamp in the footer comment)

Expected behavior Logged-in cache file should only be served to logged-in users. After logging out, logged out cache file should be served.

Additional context Doesn't seem to be related to a specific plugin, but most if not all the cases seem to have custom logout urls. The issue happens even when these are excluded from the cache.

Related to: https://github.com/wp-media/wp-rocket/issues/1423

Backlog Grooming (for WP Media dev team use only)

  • [ ] Reproduce the problem
  • [ ] Identify the root cause
  • [ ] Scope a solution
  • [ ] Estimate the effort

webtrainingwheels avatar Nov 24 '20 01:11 webtrainingwheels

Related ticket: https://secure.helpscout.net/conversation/1381344421/227258/

In this case, they are using a modal (Indeed Ultimate Membership Pro) to log in, but they are using the default WordPress logout.

Preventing last-modified from being send fixed the issue.

vmanthos avatar Dec 30 '20 13:12 vmanthos

Related ticket: https://secure.helpscout.net/conversation/1412235252/235802/

The default WordPress login/logout functionality was used along with BuddyBoss.

Disabling the last-modified headers fixed the issue, but the following poped-up: https://github.com/wp-media/wp-rocket/issues/3274

vmanthos avatar Feb 11 '21 08:02 vmanthos

Related ticket: https://secure.helpscout.net/conversation/1454686795/247902?folderId=2135277

vmanthos avatar Mar 25 '21 12:03 vmanthos

Related ticket: https://secure.helpscout.net/conversation/1470118874/252154/

NataliaDrause avatar Apr 18 '21 07:04 NataliaDrause

Related ticket: https://secure.helpscout.net/conversation/1498348273/260165?folderId=3864740

NataliaDrause avatar May 03 '21 11:05 NataliaDrause

Related: https://secure.helpscout.net/conversation/1595451288/286226/

NataliaDrause avatar Aug 18 '21 12:08 NataliaDrause

Related: https://secure.helpscout.net/conversation/1795112335/327694?folderId=2135277

vmanthos avatar Mar 01 '22 11:03 vmanthos

Similar issue is happening with Cookie Notice plugin when consent is changing. Ticket: https://secure.helpscout.net/conversation/1807336051/329918?folderId=3864740

Steps to reproduce:

  1. Install and activate Cookie Notice plugin;
  2. In Cookie notice enable the following options:
  • Refuse Consent;
  • Revoke Consent;
  • Add <script>alert("true")</script> to Script blocking in Head;
  • enable reloading
  1. Install and activate helper plugin for creating different cache files based on cookie cookie_notice_accepted value.
  2. Clear Cache
  3. Open the site in incognito;
  4. Reject the cookies by clicking NO;
  5. Go to another page - click Revoke Consent;
  6. Click OK on the consent - the page is reloaded as expected and you get an "alert" that I placed for the test.
  7. Go to homepage or any other page - you get the alert as expected.
  8. Here is where it usually breaks: click Revoke Consent again;
  9. Click NO on the consent - the page is reloaded, but alert is still there. Sometimes you get it correctly with no alert, but click on some other pages you already checked and you will get the alert eventually.

The same workaround resolves the issue.

Slack: https://wp-media.slack.com/archives/C08N8J6VC/p1646731440022129

NataliaDrause avatar Mar 08 '22 10:03 NataliaDrause

This issue has been open for 1.5 years. Will you guys be able to fix it and provide the update?

ilyakar avatar Mar 14 '22 10:03 ilyakar

Related - https://secure.helpscout.net/conversation/1826988775/333761

DahmaniAdame avatar Mar 26 '22 18:03 DahmaniAdame

Related: https://secure.helpscout.net/conversation/1829844198/334206?folderId=3864740

NataliaDrause avatar Mar 30 '22 08:03 NataliaDrause

Related: https://secure.helpscout.net/conversation/1851805966/337997/

vmanthos avatar Apr 18 '22 07:04 vmanthos

Likely related: https://secure.helpscout.net/conversation/1870176892/340936

viobru avatar May 06 '22 08:05 viobru

Hey, on my site commenting last-modified doesn't eliminate the problem, just reduces the occurrence sometimes. If user has visited homepage sometimes, it still shows the logged in version after logging out. There is a 3rd occurrence of Last-Modified on this file. Should it be commented it too? Edit: I can confirm commenting 3rd Last-Modified on the maybe_process_buffer() function fixes the problem. Could there be another problem with this commenting?

chrismask avatar May 23 '22 02:05 chrismask

Related - https://secure.helpscout.net/conversation/1947520970/355560/

joejoe04 avatar Jul 14 '22 15:07 joejoe04

Related - https://secure.helpscout.net/conversation/1948867774/355866/

DahmaniAdame avatar Jul 26 '22 06:07 DahmaniAdame

Related: https://secure.helpscout.net/conversation/2057644500/379356

viobru avatar Nov 09 '22 14:11 viobru

Related: https://secure.helpscout.net/conversation/2063079842/380586/

viobru avatar Nov 10 '22 15:11 viobru