Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 74634 invoked from network); 21 Jun 2010 14:14:02 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 21 Jun 2010 14:14:02 -0000 Received: (qmail 95684 invoked by uid 500); 21 Jun 2010 14:13:59 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 95646 invoked by uid 500); 21 Jun 2010 14:13:58 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 95638 invoked by uid 99); 21 Jun 2010 14:13:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Jun 2010 14:13:58 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [155.70.16.237] (HELO suomp64i.qwest.com) (155.70.16.237) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Jun 2010 14:13:47 +0000 Received: from sudnp796.qintra.com (sudnp796.qintra.com [151.116.2.212]) by suomp64i.qwest.com (8.14.4/8.14.4) with ESMTP id o5LEDQTW003104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Mon, 21 Jun 2010 09:13:26 -0500 (CDT) Received: from qtdenexhtm22.AD.QINTRA.COM (localhost [127.0.0.1]) by sudnp796.qintra.com (8.14.4/8.14.4) with ESMTP id o5LEDKvM010329 for ; Mon, 21 Jun 2010 08:13:20 -0600 (MDT) Received: from qtdenexmbm21.AD.QINTRA.COM ([151.119.91.223]) by qtdenexhtm22.AD.QINTRA.COM ([151.119.91.231]) with mapi; Mon, 21 Jun 2010 08:13:20 -0600 From: "Presto, Patrick" To: "'users@httpd.apache.org'" CC: "Presto, Patrick" Date: Mon, 21 Jun 2010 08:13:17 -0600 Thread-Topic: Caching is serving up the wrong user content to some users who log in. Thread-Index: AcsFPaFcYl9sU2qKTn6noelpfOWfrwMCmdHA Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_FEFF2EA8725CEB4E950FF2B21F4830D44EBD789BA0qtdenexmbm21A_" MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Caching is serving up the wrong user content to some users who log in. --_000_FEFF2EA8725CEB4E950FF2B21F4830D44EBD789BA0qtdenexmbm21A_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable We have just started enabling caching on our Apache 2.2.3 Web Server to tak= e advantage of the performance increase. We use Apache as a proxy to our b= ack end Java applications. One of our larger portal applications has had r= eports of users logging in and getting other users content. We don't have = this problem when we disable the cache so we are somehow caching user speci= fic content sometimes. We don't see this with most users in production, an= d we are unable to replicate this behavior in test or production at this ti= me. Does anyone have any ideas what could cause this intermittent caching behav= ior? I looked at the Change log and found something that could be a possibility,= but I don't fully understand this bug. Under 2.2.12 Changes: *) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them. [Lars Eilebrecht] Could it be possible that CacheIgnoreHeaders is sometimes storing a "Set-Co= okie" header for content when it shouldn't be? If so, would it be possible= that the next request for that content comes with the original requestors = cached "Set-Cookie" header and resets the current users Cookie or ID. This = could then cause the current user to access the original requestors data si= nce the "Set-Cookie" header might have been accidentally stored in the cach= e. If this could be the cause does anyone know how I could prove this in test? Here is our current caching configuration using mod_expires, mod_cache, and= mod_disk_cache. We are disabling some areas of the site that use velocity= because we don't want to cache some of the dynamic stuff like sessionVaria= ble property files for example. Any help is appreciated! Thank you! CacheRoot /opt/apache/cache/ CacheEnable disk / # FORCE caching for all requests (without Cache-Control: no-cache) # If Last-Modified header is removed you need to set this to ON to = cache CacheIgnoreNoLastMod On CacheDisable /business/sessionVariableSetup.vm CacheDisable /business/education/ CacheDisable /business/partners/ CacheDisable /business/consultants/ CacheDisable /business/home/ CacheIgnoreHeaders Set-Cookie Set-Cookie2 # Add expires headers for images, css & js files ExpiresActive On ExpiresByType image/gif A28800 ExpiresByType image/jpeg A28800 ExpiresByType image/png A28800 ExpiresByType text/css A28800 ExpiresByType text/javascript A28800 ExpiresByType application/x-javascript A28800 ExpiresByType application/javascript A28800 ExpiresByType application/ecmascript A28800 ExpiresByType image/x-icon A28800 Patrick ________________________________ This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. --_000_FEFF2EA8725CEB4E950FF2B21F4830D44EBD789BA0qtdenexmbm21A_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
We have just started enabling cac= hing on our Apache 2.2.3 Web Server to take advantage of the performance in= crease.  We use Apache as a proxy to our back end Java applications.  One of our larger portal applications has had= reports of users logging in and getting other users content.  We don'= t have this problem when we disable the cache so we are somehow caching use= r specific content sometimes.  We don't see this with most users in production, and we are unable to replicate this be= havior in test or production at this time.
 
Does anyone have any ideas what c= ould cause this intermittent caching behavior?
 
 
I looked at the Change log and found something that could be= a possibility, but I don't fully understand this bug. 
Under 2.2.12 Changes:
&nbs= p;*) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
    directive to correctly remove headers before storing the= m.
    [Lars Eilebrecht]
 
Could it= be possible that CacheIgnoreHeaders is sometimes storing a "Set-Cooki= e" header for content when it shouldn't be?  If so, would it be p= ossible that the next request for that content comes with the original requestors cached "Set-Cookie" header and resets the current users Cookie or ID. <= span class=3D"060394513-21062010">This could then cause the current user to= access the original requestors data since the "Set-Cookie" heade= r might have been accidentally stored in the cache.
If this could be the cause does anyone know how = I could prove this in test?
 
Here is our current caching configuration using = mod_expires, mod_cache, and mod_disk_cache.  We are disabling some are= as of the site that use velocity because we don't want to cache some of the dynamic stuff like sessionVariable property file= s for example.
 
Any help is appreciated!  Thank you!
 
<IfModule mod_cache.c>
    <IfModule mod_disk_cache.c>
        CacheRoot  /opt/apache/cach= e/
        Cache= Enable disk /
        # FORCE caching for all requests= (without Cache-Control: no-cache)
        # If Last-Modified header is rem= oved you need to set this to ON to cache
        CacheIgnoreNoLastMod On

        CacheDisable /business/sess= ionVariableSetup.vm
        CacheDisable /business/education= /
        CacheDisable /business/partners/=
        CacheDisable /business/consultan= ts/
        CacheDisable /business/home= /
    
        CacheIgnor= eHeaders Set-Cookie Set-Cookie2

    </IfModule>
 
    <IfModule mod_expires.c>= ;
        # Add expires headers for images= , css & js files
        ExpiresActive On
        ExpiresByType image/gif A28800         ExpiresByType image/jpeg A28800<= br>         ExpiresByType image/png A28800         ExpiresByType text/css A28800         ExpiresByType text/javascript A2= 8800
        ExpiresByType application/x-java= script A28800
        ExpiresByType application/javasc= ript A28800
        ExpiresByType application/ecmasc= ript A28800
        ExpiresByType image/x-icon A2880= 0
    </IfModule>
</IfModule>
Patrick

This communication is the pr= operty of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly<= br> prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy<= br> all copies of the communication and any attachments.
 --_000_FEFF2EA8725CEB4E950FF2B21F4830D44EBD789BA0qtdenexmbm21A_--