Re: [squid-users] Question about caching pages and signed in users

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 04 Feb 2009 19:35:30 +1300

Tom Williams wrote:
> I've been racking my brain trying to figure this out so I'm asking the
> community here. I'm using Squid 3.0-STABLE12 as a reverse proxy on Linux.
>
> Here's the scenario:
>
> An anonymous user visits my site, http://www.mysite.com/ and can browse
> around just fine. As they browse around, Squid caches the pages which
> are generated by a PHP-based web app. We're using these Cache-Control
> headers to control the content caching:
>
> Cache-Control: public, must-revalidate, max-age=0, s-maxage=10800
>
> Ok, on all the pages there is a "sign-in" link they can click to sign in
> to the site. When they click the "sign-in" link to sign in, we switch
> to HTTPS to make sure the userid/password are sent securely. Once they
> are signed in, they are returned back to the regular site using HTTP but
> we set a cookie to signal the user is signed in. At this point, we DO
> NOT want to cache the pages since the user is signed in. This is where
> the issue arises.
>
> After signing in to the site, the user gets the *cached* version of the
> page they were on instead of the page which reflects they are now signed
> in to the site. After the user signs in to the site, we send this
> Cache-Control header to prevent caching of the pages after the user is
> signed in:
>
> Cache-Control: private, must-revalidate, no-cache, no-store, max-age=0,
> s-maxage=0
>
> The goal we are after is to have Squid cache pages for anonymous users
> ONLY and NOT cache pages for signed in users.
>
> Is this possible? If so, what am I missing to accomplish this?
>

The config you have above can be expected to do that. Have you noticed
otherwise?

Many alternate ways discussed very recently.

  * Using Vary: header to tell Squid the Cookie: header determines the
result
  * Using custom headers + Vary: to do same
  * Using HTTPS for the whole logged in session
  * Using digest authentication that can be sent securely in headers.
  * Using Cache-Control: private on secure pages.
  * Using a secondary domain for logged in users
  * Using URL tokens to split the private pages apart

Amos 

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5
Received on Wed Feb 04 2009 - 06:35:38 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 04 2009 - 12:00:01 MST