

Weird HN caching bug: I appear logged in as other HN users sometimes - benhoyt

HN seems not to produce correct no-cache headers, so sometimes I appear logged in as other users. Kinda eerie, though I suppose with HN there's no major privacy issue :-), and it's not like I can do actual operations logged in as the other users, just viewing.<p>Incidentally, reddit had this exact bug almost two years ago, and spez fixed it: http://www.reddit.com/r/reddit.com/comments/6b2kq/<p>It happens because our ISP is caching the other guy's logged in page, and then serving it up to me (and vice versa, I suppose). I'm pretty sure my ISP's caching proxy is following the HTTP spec. HN can fix it by giving more stringent no-cache headers. At the moment HN says "Cache-Control: max-age=0". reddit serves "Cache-Control: no-cache" as well as "Pragma: no-cache" and that seems to do it.
======
ams1
I ran into a bug like this with rails and restful_authentication. It came from
caching the logged in user through the session. I fixed it by using a cookie
to store the logged in user instead. Here's the issue:
[http://stackoverflow.com/questions/145169/inadvertent-
sessio...](http://stackoverflow.com/questions/145169/inadvertent-session-
hijacking-issue-with-restful-authentication)

------
pg
Yeah, sorry, I'm going to fix this.

------
Freebytes
Nice catch, benhoyt. It is even better that you know exactly what is causing
it. (However, I question the benefits of ISP caching in the networks of
today.)

~~~
eli
Depends where the ISP is located, though I suspect it has more to do with
cutting bandwidth costs than anything else.

------
timf
" _it's not like I can do actual operations logged in as the other users, just
viewing._ "

If you can see the user's "saved" feed (i.e., what submissions they voted
for), I would say that is a privacy issue. That is currently not public
information.

[http://news.ycombinator.com/saved?id=<user>](http://news.ycombinator.com/saved?id=<user>);

------
nicpottier
This is surprisingly hard to get right on your first try, I ran into a similar
issue not too long ago with a framework I had built myself.

This page has a great synopses on how it should be done:
<http://www.mnot.net/cache_docs/>

------
piotrSikora
Setting either "Cache-Control: no-cache" or "Cache-Control: private" should
fix it.

------
lallysingh
Yeah, the company cache-proxy here is doing the same.

~~~
xpaulbettsx
Me too - I only see this at work where we're running MS ISA Firewall

