NetScaler caching comment author information

RESOLVED FIXED

Status

RESOLVED FIXED
12 years ago
4 years ago

People

(Reporter: reed, Assigned: oremj)

Tracking

Details

(URL)

(Reporter)

Description

12 years ago
When I went to look at the new "planet" blog on blog.mozilla.com and scrolled down to the comment box, I see that the fields already have been pre-filled with sayrer's personal information, including his name, e-mail address, and website. This is Just Bad(tm). The NetScaler should not be caching pages that include the comment box.

Comment 1

12 years ago
More specifically, wordpress should send no-cache headers for things that shouldn't be cached - netscaler is doing what it's supposed to.  Given we probably won't get a code change from wp, we'll have to put in an explicit exclude to deal with wp's deficiencies.  Reed - can you narrow it down to a set of urls that should be excluded?
(Reporter)

Comment 2

12 years ago
Well, I can give you the opposite. Basically, the NS can cache http://blog.mozilla.com and any of the blogs directly under it (such as http://blog.mozilla.com/planet/). Anything that goes more detailed than those two urls should not be cached.
(Assignee)

Updated

12 years ago
Assignee: server-ops → oremj

Comment 3

12 years ago
Justin's exactly right - grabbing /planet/2007/03/07/welcome-to-the-planet-blog/ from blog.mozilla.com and from mrapp02 shows the "go ahead and cache me" headers. 

mrz@boris [~/] 29> cat from-blogs
HTTP/1.1 200 OK
Date: Thu, 08 Mar 2007 09:43:32 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
X-totalblogs: 23
X-rootblog: http://blog.mozilla.com/
X-created-on: 2007-03-07 18:31:35
X-Pingback: http://blog.mozilla.com/planet/xmlrpc.php
Status: 200 OK
Cache-Control: max-age=60
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

mrz@boris [~/] 30> cat from-mrapp02
HTTP/1.1 200 OK
Date: Thu, 08 Mar 2007 09:43:43 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
X-totalblogs: 23
X-rootblog: http://blog.mozilla.com/
X-created-on: 2007-03-07 18:31:35
X-Pingback: http://blog.mozilla.com/planet/xmlrpc.php
Status: 200 OK
Cache-Control: max-age=60
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Comment 4

12 years ago
(In reply to comment #2)
> Well, I can give you the opposite. Basically, the NS can cache
> http://blog.mozilla.com and any of the blogs directly under it (such as
> http://blog.mozilla.com/planet/). Anything that goes more detailed than those
> two urls should not be cached.

I don't know if I agree with that - that's saying that none of the blog entries should ever be cached.

So this,
http://blog.mozilla.com/planet/2007/03/07/welcome-to-the-planet-blog/

Shouldn't get in the cache?

And can't imagine why the form would be pre-filled out (since that's not in the html src, is it?) - none of the browsers I have show it filled out.

Comment 5

12 years ago
(In reply to comment #4)
> 
> And can't imagine why the form would be pre-filled out


This is happening because a successful comment POST request is greeted with a 30x response containing a Set-Cookie header. The browser dutifully sends a GET to the redirect URI along with the Cookie: value it just received, and that response (with pre-populated form values) is cached.

The netscaler sounds pretty aggressive. Strictly speaking, WordPress should send a response header of "Vary: Cookie" for individual posts, but I don't think things like Squid fall for this one. 
(Assignee)

Comment 6

12 years ago
In this situation the app should now send no-cache headers.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.