The problem with the button cache
is that I misconfigured it.

We started to see people getting logged out of the site unexpectedly while in the middle of a session.

Finally realised that mod_cache is caching the Set-Cookie: headers in the button image responses. The only cookie we would set there is if a request has arrived without an existing session, in which case we set the cookie to indicate our main shop account.

When your cached button image expires, your browser would request the copy cached in apache. Apache would deliver that, along with the Set-Cookie header if one had been stored. Then whoosh - you're back in the shop.

Ooooooh dear.

The fix is easy once you realise that you need it - use

CacheIgnoreHeaders Set-Cookie

to tell mod_cache not to cache the cookie header. That's now in place and is working (I've checked the stored headers and they're clean). Hoping that's the end of it!

T

Labels: caching, config, cookies

- posted by Tim Bruce @ 11:07 PM