1

I run a site and once in a while users contact me because they either can't log in, or can log in but have problems submitting forms (the forms are on protected pages, using PHP sessions). Until now, I've been able to tell users to just switch browsers, and the problem cleared up: I figured that it was some sort of browser issue since it wasn't every user who was having this issue. Further, all problem users were using IE. I then thought that perhaps it was an IE specific problem until a new user had the same issue on Chrome/Firefox (I logged into the users account on 2 different machines and was not able to replicate the Chrome/Firefox issue).

After doing some digging, I now think the problem might be session related. This site says that:

Older cache files and cookies also need to be cleared before you visit secure areas like a payment portal or a shopping cart. “Session expired” is a common notification if old browser cache and cookies haven’t been junked.

After doing some further digging on Stackoverflow, I found a community wiki started by @BalusC saying that the proper way to avoid caching a page via php would be to use:

header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1.
header('Pragma: no-cache'); // HTTP 1.0.
header('Expires: 0'); // Proxies.

With the above in mind, I have a couple of questions:

  1. Would I just put the above code on my login screen? It would seem to me that if I put it on any page where the user were logged in, then they would be logged out since the session won't be cached.
  2. If I use a CDN (CLoudflare), would their caching process override what I write on the specific page?

Thanks!

EDIT:

My login page is as follows:

<div id="login_form">
<form id="login" method="post">
<?php $login_problem = FALSE;
       if (isset($_POST['signin']) && $failed) {
                  $login_problem = TRUE;
                  $login_error_result ='<a href="/admin/forgotten.php">Forget something?</a>';
        }
 ?>
<table>
<tr>
<td>
<label for="username">Username:</label>
<input name="username" id="username" type="text" maxlength="15" />
</td>
<td colspan="2"><label for="password">Password: <?php if ($login_problem) {
                          echo $login_error_result;}?></label>
<input type="password" id="password" name="password"  maxlength="15"/>
</td>
<td id="login_submit" >
<input  type="submit" name="signin" class="submit" value="Sign in!" />
</td>
</tr>
</table>
</form>
    </div>
Community
  • 1
  • 1
Eric
  • 1,209
  • 1
  • 17
  • 34
  • Hey, Eric, to help me and other members, have you collected any other data about the users who are experiencing the errors (browser types, versions, operating system, their last login time, etc.)? – Spencer D Sep 22 '14 at 17:20
  • I started looking into ways to record browsers, versions, etc., but it seemed that knowing the exact browser seemed to be an imperfect process. However, everyone except for the last user told me that they were using IE, and a simple browser change did the trick. I also started googling "login problems" and there are lots of sites that basically say that the user should clear their browser cookies --- this would seem to indicate that there's nothing that I can do on my end. One example is: https://kb.iu.edu/d/ahic. So, perhaps it IS just something that the user has to take care of? – Eric Sep 23 '14 at 00:15
  • Interesting. Browsers are supposed to automatically clear PHP sessions on exit, though. However, it could be possible that the browser is acting up with that. – Spencer D Sep 24 '14 at 17:49
  • Yes, I think that this might be the case. So, I feel like there's no real solution to my question. However, I'm planning on doing 2 things. First, using php, I'm going to set a cookie in the user's browser. Then, on my contact page, I'll send them to a "help with cookies page" if they write me because they can't log in. On that page, I'm going to have links on how to check whether the browser has cookies enabled. In addition, I'll have some other links to explain how to clear the cookies. We'll see if that cuts down on the users who contact me for help! Thanks for all of your thoughts... – Eric Sep 24 '14 at 21:06

2 Answers2

1

I too run a website which allows users to login and navigate protected pages. Personally I use cookies for the process, but the PHP session is in essence a cookie with the name phpsessid. Here are the PHP headers that I use to prevent caching:

header("Cache-control: no-store, no-cache, must-revalidate");
header("Expires: Mon, 26 Jun 1997 05:00:00 GMT");
header("Pragma: no-cache");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

When writing out my anchor tags for site navigation, I use echo "$anchorTagLink?cacheBuster=" . time();

This seems to effectively prevent caching because the page itself sends a message basically saying, "Don't cache me!" and each link is a new unique link.

CloudFlare can influence caching because they can stream back a cached copy of your page; however, I believe this is adjustable in the CloudFlare settings (though I'm not 100% sure).

EDIT:

Here are some details on PHP Cache Control: http://css-tricks.com/snippets/php/intelligent-php-cache-control/

Spencer D
  • 3,376
  • 2
  • 27
  • 43
  • Thanks for the response! And, would you just put the PHP headers on the login page? I would certainly want to cache assets such as js and css on my site. Or would the headers have to go on every protected page thereby wrecking the caching of my other assets? – Eric Sep 20 '14 at 20:55
  • I personally put this header everywhere, but my webserver practices no caching at all. You could cache your pages, and then use PHP to stream back stylesheets/javascript/etc. – Spencer D Sep 20 '14 at 21:05
  • You could also take the Yahoo approach. Yahoo streams back all HTML, but they say "our_css_name_v0_0_0.css" So, for example, "outputStyles_v1_0_2.css" Then their next update the style sheet name changes to "outputStyles_v1_0_3.css" (or whatever version it is). However, I believe streaming back css/javascript using PHP is a much more viable solution. – Spencer D Sep 20 '14 at 21:09
  • Maybe I need to back up a minute...all of my pages have .php extensions, so I *think* that this means that none of my html is cached (which is fine). My assets (js/css) are cached through Cloudflare; and I'm not worried about my updates being stale, since there's a "purge cache" option in Cloudflare which refreshes these assets. My concern, however, is that the cookie (phpsessid) might somehow be cached, causing some of my users to have login problems. So, would adding the php headers prevent issues with the cookie? Would it prevent caching of assets? Both? – Eric Sep 20 '14 at 21:18
  • Adding this would not prevent cookies. Cookies are stored until their expiration date. Browsers are not supposed to store cookies or submit cookies beyond their expiration date. Cookies and caches are really two separate things. The one is a stored server response (or rather just the content of said response), whereas cookies are a stored server variable. The cache, on the one hand, is received and never transmitted back to the server. The cookies, on the other hand, are received and transmitted back to the server with every relevant http(s) request. (continued in next comment) – Spencer D Sep 20 '14 at 23:01
  • Adding this would prevent caching of HTML pages, but it would not prevent caching of assets which are found in different files/sources (e.g., "src='something.css'"). If your login has time based components (i.e. the page must be submitted within 20 minutes of it being loaded), then this would likely solve any caching issues related to that. – Spencer D Sep 20 '14 at 23:03
  • I appreciate the additional thoughts, and I definitely have a better understanding of caching at this point. However, since my login doesn't have any time based components, then it sounds like unfortunately, the php headers wouldn't actually help in this particular situation, wouldn't you agree? – Eric Sep 21 '14 at 13:53
  • In this particular case, perhaps not. However, it would help in the case of a user accessing a protected page (let's say profile.php) and receiving back a cached copy even though their cookie expired. If you'd be willing to post up the login form (you can rename the `action` element if you'd like) as well as part of the login code, then I could read through it and possibly edit my answer to address any other potential errors. – Spencer D Sep 21 '14 at 17:23
  • I've just added the login code. I would be happy to show you my authentication code, but I fear that it's a bit involved. Anyway, stackoverflow just asked to move this discussion to chat. If you do notice something in my form, and would like to respond via chat, then, I'd be happy to mark your response as the solution here on the board. – Eric Sep 22 '14 at 02:01
0

I think it could also be a javascript issue, sometimes the javascript could be disabled on chrome or IE. You could try to disable javascript and see what happens. You can add NO-CACHE on login page only. Though i have tested NO_Cache and it doesn't always seem to work.

On your login page do you have javascript validation or php validation?

Regardt Ogies Myburgh
  • 160
  • 1
  • 1
  • 8
  • Thanks for the quick response. And, it's all PHP validation. – Eric Sep 18 '14 at 14:46
  • I can send you a php login code that works like a windows domain controller. so to protect a page you simply add include('system_load.php'); authenticate_user('usergroup'); – Regardt Ogies Myburgh Sep 18 '14 at 14:51
  • I appreciate the offer, but I've created my own login code and it's worked great except for the sporadic user; and it certainly would be helpful to understand what's currently going on here. – Eric Sep 18 '14 at 14:54
  • It's a bit involved because of the classes, etc. – Eric Sep 18 '14 at 17:19