View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001686 | OXID eShop (all versions) | 4.08. Cache | public | 2010-03-08 10:51 | 2012-12-10 13:39 |
| Reporter | marco_steinhaeuser | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | sometimes |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.2.0 revision 23610 | ||||
| Fixed in Version | 4.3.0 revision 26948 | ||||
| Summary | 0001686: AOL proxy caches the cookies | ||||
| Description | we have got three threads in the forum that tell about problems with the AOL proxy: http://www.oxid-esales.com/forum/showthread.php?t=4457 http://www.oxid-esales.com/forum/showthread.php?t=4154 http://www.oxid-esales.com/forum/showthread.php?t=4516 Private data from other users are displayed if a new user registers or logs in. Cookie handling is concerned. Please solve ASAP and show up a simple solution (e.g. HTML header - Cache-Control: no-cache) if possible. | ||||
| Tags | No tags attached. | ||||
| Theme | |||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
| related to | 0001735 | resolved | tomas_liubinas | User ends up in a foreign account |
|
|
And a quick solution was proposed here: http://www.oxid-esales.com/forum/showthread.php?p=26671#post26683 |
|
|
Forum users have already noted, that this problem could be solved by "Cache-control:" HTTP response header. By default php session handler solves this problem automatically. It does not send this header when session is not started (correct), and sends "Cache-control: no-store, no-cache..." headers when session is started. This behavior depends on session.cache_limiter php.ini setting and there are 2 ways to solve this problem: 1. Set "session.cache_limiter = nocache" in your php.ini file OR 2. This is what we did. Enforce session cache limiter in eShop by adding the following line: session_cache_limiter("nocache"); We added it to oxSession class, but it could be added anywhere BEFORE session_start() is called (for example to config.inc.php file). |
|
|
The problem seems not to be completely fixed yet. Please see http://ilia.ws/archives/59-AOL-Browser-Woes.html for more information. |
|
|
Here is the extended solution: //enforcing no caching when session is started session_cache_limiter( 'nocache' ); //cache limiter workaround for AOL browsers //as suggested at http://ilia.ws/archives/59-AOL-Browser-Woes.html if (strpos($_SERVER['HTTP_USER_AGENT'], 'AOL') !== false ) { session_cache_limiter(false); header("Cache-Control: no-store, private, must-revalidate, proxy-revalidate, post-check=0, pre-check=0, max-age=0, s-maxage=0"); } |
|
|
I want to add that i feel this is not only a caching issue. To me it does not seem right to store credit card data in the session and output it unmasked to the users browser in case the payment page is reloaded. If the data was not outputted to the browser proxies could not cache it. |
|
|
Hi, a customer included that fix and this never happens again since 12.03.2010 before that it happens about 2 times a day |
|
|
As this is related only to AOL and some other providers and appeared suddenly after 4.2.0 was out, OXID was able to workround this with 4.3.0. |
