Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Use cache-control headers on pages requiring authentication
See original GitHub issueIssue Summary
When a Page is password protected, its publicly-viewable version displays a password form at the Page’s URL. If caching is used, this means that the form itself can get cached, preventing the user from progressing to the Page itself - the cached password form can keep getting returned.
I and @vsalvino had this issue using wagtail-cache, which he provided a solution for. But he suggested that if Wagtail itself issued cache-control: private headers when the page required authentication, that would probably make more sense.
Steps to Reproduce
- Install wagtail-cache (or maybe use some other caching solution)
- Create a Page, set it to Live, and protect it with a Password
- Visit the Page’s URL and enter the correct password
- Instead of getting the Page itself, the form will be returned.
Technical details
- Python version: 3.6
- Django version: 2.1
- Wagtail version: 2.4
- Browser version: macOS Safari 12
Looks like there was a similar proposal in 2015, closed due to lack of interest. @loicteixeira in Slack suggested I open this.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:4
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I was thinking that the
Vary: Cookieheader that Django automatically emits wheneverrequest.sessionis accessed would solve this. But this might not be the case if the cookies are being created by this view.What I think might be happening is follows:
When the first user without a cookie visits the page, Django creates session and returns response with
Set-CookieandVary: CookieheadersWhen the second user without a cookie visits the page, the cache returns the first user’s response because the first user didn’t have a cookie when they made the request (and
Vary: Cookieprobably isn’t clever enough to see theSet-Cookiein the response)If that’s the case, then adding
Cache-control: privateor justCache-control no-cache="Set-Cookie"should solve it.The lack of
Cache-Controlheaders caused us not only an availability issue (CSRF errors when attempting to log in) but also significant security issues (the password-protected content was visible without logging in due to the cache, once a different browser could log in).https://github.com/coderedcorp/wagtail-cache/issues/35 details some of our testing (the lack of a “don’t cache” Cache-Control header is a problem for core, it would seem)