Hacker News new | past | comments | ask | show | jobs | submit login
Weird HN caching bug: I appear logged in as other HN users sometimes
50 points by benhoyt on Jan 6, 2010 | hide | past | favorite | 9 comments
HN seems not to produce correct no-cache headers, so sometimes I appear logged in as other users. Kinda eerie, though I suppose with HN there's no major privacy issue :-), and it's not like I can do actual operations logged in as the other users, just viewing.

Incidentally, reddit had this exact bug almost two years ago, and spez fixed it: http://www.reddit.com/r/reddit.com/comments/6b2kq/

It happens because our ISP is caching the other guy's logged in page, and then serving it up to me (and vice versa, I suppose). I'm pretty sure my ISP's caching proxy is following the HTTP spec. HN can fix it by giving more stringent no-cache headers. At the moment HN says "Cache-Control: max-age=0". reddit serves "Cache-Control: no-cache" as well as "Pragma: no-cache" and that seems to do it.




I ran into a bug like this with rails and restful_authentication. It came from caching the logged in user through the session. I fixed it by using a cookie to store the logged in user instead. Here's the issue: http://stackoverflow.com/questions/145169/inadvertent-sessio...


Yeah, sorry, I'm going to fix this.


Nice catch, benhoyt. It is even better that you know exactly what is causing it. (However, I question the benefits of ISP caching in the networks of today.)


Depends where the ISP is located, though I suspect it has more to do with cutting bandwidth costs than anything else.


"it's not like I can do actual operations logged in as the other users, just viewing."

If you can see the user's "saved" feed (i.e., what submissions they voted for), I would say that is a privacy issue. That is currently not public information.

http://news.ycombinator.com/saved?id=<user>;


This is surprisingly hard to get right on your first try, I ran into a similar issue not too long ago with a framework I had built myself.

This page has a great synopses on how it should be done: http://www.mnot.net/cache_docs/


Setting either "Cache-Control: no-cache" or "Cache-Control: private" should fix it.


Yeah, the company cache-proxy here is doing the same.


Me too - I only see this at work where we're running MS ISA Firewall




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: