If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

NetScaler caching comment author information

RESOLVED FIXED

Status

mozilla.org Graveyard
Server Operations
RESOLVED FIXED
11 years ago
3 years ago

People

(Reporter: reed, Assigned: oremj)

Tracking

Details

(URL)

(Reporter)

Description

11 years ago
When I went to look at the new "planet" blog on blog.mozilla.com and scrolled down to the comment box, I see that the fields already have been pre-filled with sayrer's personal information, including his name, e-mail address, and website. This is Just Bad(tm). The NetScaler should not be caching pages that include the comment box.

Comment 1

11 years ago
More specifically, wordpress should send no-cache headers for things that shouldn't be cached - netscaler is doing what it's supposed to.  Given we probably won't get a code change from wp, we'll have to put in an explicit exclude to deal with wp's deficiencies.  Reed - can you narrow it down to a set of urls that should be excluded?
(Reporter)

Comment 2

11 years ago
Well, I can give you the opposite. Basically, the NS can cache http://blog.mozilla.com and any of the blogs directly under it (such as http://blog.mozilla.com/planet/). Anything that goes more detailed than those two urls should not be cached.
(Assignee)

Updated

11 years ago
Assignee: server-ops → oremj

Comment 3

11 years ago
Justin's exactly right - grabbing /planet/2007/03/07/welcome-to-the-planet-blog/ from blog.mozilla.com and from mrapp02 shows the "go ahead and cache me" headers. 

mrz@boris [~/] 29> cat from-blogs
HTTP/1.1 200 OK
Date: Thu, 08 Mar 2007 09:43:32 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
X-totalblogs: 23
X-rootblog: http://blog.mozilla.com/
X-created-on: 2007-03-07 18:31:35
X-Pingback: http://blog.mozilla.com/planet/xmlrpc.php
Status: 200 OK
Cache-Control: max-age=60
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

mrz@boris [~/] 30> cat from-mrapp02
HTTP/1.1 200 OK
Date: Thu, 08 Mar 2007 09:43:43 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
X-totalblogs: 23
X-rootblog: http://blog.mozilla.com/
X-created-on: 2007-03-07 18:31:35
X-Pingback: http://blog.mozilla.com/planet/xmlrpc.php
Status: 200 OK
Cache-Control: max-age=60
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Comment 4

11 years ago
(In reply to comment #2)
> Well, I can give you the opposite. Basically, the NS can cache
> http://blog.mozilla.com and any of the blogs directly under it (such as
> http://blog.mozilla.com/planet/). Anything that goes more detailed than those
> two urls should not be cached.

I don't know if I agree with that - that's saying that none of the blog entries should ever be cached.

So this,
http://blog.mozilla.com/planet/2007/03/07/welcome-to-the-planet-blog/

Shouldn't get in the cache?

And can't imagine why the form would be pre-filled out (since that's not in the html src, is it?) - none of the browsers I have show it filled out.

Comment 5

11 years ago
(In reply to comment #4)
> 
> And can't imagine why the form would be pre-filled out


This is happening because a successful comment POST request is greeted with a 30x response containing a Set-Cookie header. The browser dutifully sends a GET to the redirect URI along with the Cookie: value it just received, and that response (with pre-populated form values) is cached.

The netscaler sounds pretty aggressive. Strictly speaking, WordPress should send a response header of "Vary: Cookie" for individual posts, but I don't think things like Squid fall for this one. 
(Assignee)

Comment 6

11 years ago
In this situation the app should now send no-cache headers.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.