Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By gollyg on
I am not sure whether to regard this as an issue with drupal or one with the network I am working on, so I thought I would post it as a forum topic and see what people think.
I used an install of Drupal 4.7b5 in a class based environment and had students log in to the site. All things were going fine until someone said they could see another persons profile! This problem started happening to a few students.
I imagine that the proxy server for the network was caching the last version of www.mysite.com/user and each subsequent user was seeing the cached version when they went to edit their own profile. This did not seem to allow users to change or update other users details (I imagine the session id blocks this) but it did allow them to view other users email addresses!
If they refreshed their page they got the latest version of the site.
Is there a server side setting to add to the htaccess or drupal itself to override the proxies tendency to cache? Or has anyone experienced this before?
BTW it is a really interesting testing environment to watch 16 people create accounts and log in for the first time! Lots of usability issues come up which would/will be great to document and explore.
Comments
Bump
I am sorry, but i have bumped this topic because I think that it does represent a significant issue for drupal security. I will add an issue to the user module unless others have a better idea.
Cheers
While there might be some small improvements
possible that help with some proxies, there is nothing Drupal can do about a badly behaved proxy caching stuff. Drupal has no way of forcing the proxy to not show the cached content.
It's more of a proxy config issue. eg I have noticed there are settings on MS ISA that cause this same behaviour.
--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ
Example Knowledge Base built using Drupal
Thanks for the reply.
Thanks for the reply.
Just wondering, users of those computers regularly access applications such as gmail, yahoo mail etc that require logins etc. Obviously they dont see each others mail etc. Is this based upon unique urls due to get variables ( I havent checked to see if there are variables passed via the url)?
Perhaps a module with a a setup option that required protected content be requested with get variables could address the issue?
To be honest I'm not sure
what the technical issues are or potential solutions.
But I do know that badly configured proxies can screw up anything :)
You might want to raise an issue or contact some of the developers to discuss it further.
--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ
Example Knowledge Base built using Drupal
I had a look at the http
I had a look at the http response headers being sent with the default install. The relevant ones are:
After a little reading it appears that these are not the most reliable when it comes to proxy servers, as there are no agreed standards on implementation. (excellent article here)
I have added a page expiry field through the user_user hook using the following code:
This generates the following header only on the user page (which is currently the main issue):
I will be testing this afternoon to see if this overrides the proxy cache.
Mixed results - needs more
Mixed results - needs more testing
It works
I changed the Expires header to a standard date format using
to set it 24 hours in the past. I cleared the proxy cache and retested and it worked. Now I need to find the best place to set the header - ideally I would like it to only be served on authenticated pages.