PHP SESSION disables cache

  • Resolved hackgyver

    (@hackgyver)


    9 years, 3 months ago

    When we upgraded from 2.5.3 to 2.5.9
    we experienced that the plugin started using PHP Sessions.

    From this we experience that the response headers changed from this:
    Cache-Control: max-age=1200, s-maxage=300

    to this
    Set-Cookie: PHPSESSID=tvn2oo45s1gs988ead088as0b2; path=/; secure; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: max-age=1200, s-maxage=300
    Pragma: no-cache

    So this upgrade disabled all our ATS-Cache.

    Is there a way to disable this?

Viewing 12 replies - 1 through 12 (of 12 total)
  • WPWhiteSecurity

    (@wpwhitesecurity)

    9 years, 3 months ago

    Hello hackgyver,

    Thank you for using our plugin.

    You’re correct, we did start using the phpsession. It is being used by the plugin to determine when a user is logged in or not. Having said that, it is only used for logged in users and it does not add the Pragma: no-cache header, which is the disabling your cache.

    Could it be something else, maybe you did another change in the meantime that is adding this header? I can confirm that we are not using any of these in our code: http://php.net/manual/en/function.session-cache-limiter.php

    Looking forward to hearing from you.

    Thread Starter hackgyver

    (@hackgyver)

    9 years, 3 months ago

    I’ve been testing the responseheaders with the two versions now:

    curl -k -s –include -D /dev/tty -o /dev/null ‘https://wp-www.www.dev.x.net/privat/bredband/wifi/’

    Responsheaders with 2.5.3:

    HTTP/1.1 200 OK
    Date: Wed, 22 Feb 2017 13:58:52 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: partnerinfo=%7B%22id%22%3A%221027%22%2C%22name%22%3Anull%2C%22hostname%22%3Anull%2C%22logoUrl%22%3Anull%7D
    Cache-Control: max-age=1200, s-maxage=300
    Link: <https://wp-www.www.dev.x.net/wp-json/&gt;; rel=”https://api.w.org/&#8221;
    Link: <https://wp-www.www.dev.x.net/?p=4385&gt;; rel=shortlink
    Vary: Accept-Encoding
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    Response headers with 2.5.9:

    HTTP/1.1 200 OK
    Date: Wed, 22 Feb 2017 13:58:03 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: PHPSESSID=tvn2oo45s1gs988ead088as0b2; path=/; secure; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: max-age=1200, s-maxage=300
    Pragma: no-cache
    Set-Cookie: partnerinfo=%7B%22id%22%3A%221027%22%2C%22name%22%3Anull%2C%22hostname%22%3Anull%2C%22logoUrl%22%3Anull%7D
    Link: <https://wp-www.www.dev.x.net/wp-json/&gt;; rel=”https://api.w.org/&#8221;
    Link: <https://wp-www.www.dev.x.net/?p=4385&gt;; rel=shortlink
    Vary: Accept-Encoding
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    PHP automatic sets Expires (to 1981) and Pragma when there’s an active session.

    The combination of Cache-Control with instructions like cache and Expires, Pragma not to cache leaves our Apache Traffic Server (ATS) without caching.

    WPWhiteSecurity

    (@wpwhitesecurity)

    9 years, 3 months ago

    Hello Hackgyver,

    That is actually a good test and catch. Thank you for this Hackgyver. Will surely look into this and get back to you.

    WPWhiteSecurity

    (@wpwhitesecurity)

    9 years, 3 months ago

    Hello Hackgyver,

    Just to confirm, are you using any of the premium add-ons or not?

    Thread Starter hackgyver

    (@hackgyver)

    9 years, 3 months ago

    Yes, I’m using
    email-notifications
    reports
    search
    user-sessions-management

    WPWhiteSecurity

    (@wpwhitesecurity)

    9 years, 3 months ago

    Ok. If you disable the users-sessions-management plugin does the issue persist?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    9 years, 3 months ago

    @wpwhitesecurity

    Just to confirm, are you using any of the premium add-ons or not?

    Yes, I’m using
    email-notifications
    reports
    search
    user-sessions-management

    Can you direct this topic to your own site for support? Other plugin authors do that (it’s required).

    https://www.wpsecurityauditlog.com/support/

    As you are aware, commercial products are not supported in these forums. As this is your customer I am sure you will provide support there.

    Thread Starter hackgyver

    (@hackgyver)

    9 years, 3 months ago

    I’m quite sure that the sub-modules was not enabled during this test.
    This is still a valid issue for non-paying customers.

    WPWhiteSecurity

    (@wpwhitesecurity)

    9 years, 3 months ago

    Thank you for your answer hackgyver. I asked because the Users Management add-on uses the PHP session etc, so that might be somehow triggering this issue.

    We need more information to troubleshoot this, so can you please contact us via email on [email protected] so we can start troubleshooting it?

    Thank you.

    WPWhiteSecurity

    (@wpwhitesecurity)

    9 years, 3 months ago

    @jdembowski thank you for pointing that out. That’s the reason why I asked, so if he is using them then we can get in touch via email.

    WPWhiteSecurity

    (@wpwhitesecurity)

    9 years, 3 months ago

    Hackgyver,

    We identified the issue and are working on a fix right now. Should release an update later on today or tomorrow.

    WPWhiteSecurity

    (@wpwhitesecurity)

    9 years, 3 months ago

    Hello @hackgyver

    We just released version 2.6.1 which fixes the issue you reported. The cache was being disabled because the plugin was creating a PHP Session ID cookie for non logged in visitors, which was a bug.

    The plugin no longer creates such cookie, so the cache will work.

    Please do not hesitate to get in touch in case of any further issues.

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘PHP SESSION disables cache’ is closed to new replies.