Why is Chrome caching my login page?
no-cache
is not as strong as no-store
. Chrome's documentation indicates that no-cache
indicates a re-usable document, while no-store
indicates that it should not be re-used.
Based on this information, your Cache-Control
header should simply be:
Cache-Control: no-store
The extra values in it may be letting Chrome pick and choose which it would like to honor.
Related videos on Youtube
GaryBishop
Updated on September 18, 2022Comments
-
GaryBishop over 1 year
Our literacy web site for kids with disabilities is causing some users issues with logging in. You can visit the site at
http://tarheelreader.org/
. If you login athttps://tarheelreader.org/login/
, and then go to the login page again you should see a logout message. But Chrome caches the page and returns the original login page instead. The headers are:Cache-Control:no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Content-Encoding:gzip Content-Type:text/html; charset=UTF-8 Date:Thu, 26 Jan 2017 22:55:55 GMT Expires:Wed, 11 Jan 1984 05:00:00 GMT Link:<https://tarheelreader.org/?p=110663>; rel=shortlink Pragma:no-cache Server:nginx Vary:Accept-Encoding X-UA_Compatible:IE=edge,chrome=1
Which are about every way I could find to say don't cache this page. But the network tab in the debugger shows the page coming from disk cache. If I disable the cache with the checkbox in the debugger things work as they should.
Update If I set the sandbox version of the site to use HTTPS only the problem goes away. Maybe it is something about the switching from HTTP to HTTPS and back?
-
MrWhite over 7 yearsI see the cached response too, not sure why as yet. However, you also have a funny redirect going on... if I try to access
https://tarheelreader.org/login
(as in your link), without a trailing slash, then I get a 302 redirect to thehttp://...
URL! Only if you include the trailing slash does it appear to behave correctly. -
GaryBishop over 7 yearsFixed in the post. And thanks for looking. I can enable you to login if you need it.
-
-
Stephen Ostermiller over 7 yearsIE6 doesn't know about
no-store
. You could set a differentCache-Control
header for IE6 using user-agent sniffing. Alternately, you could have a separate page for logout, or pass a parameter to your login page (even a dummy parameter). -
GaryBishop over 7 yearsYou are correct. Changing the Cache-Control to no-store and it works perfectly in Chrome.
-
GaryBishop over 7 yearsNo, I spoke too soon. The change doesn't fix it on Windows 10. Same behavior
-
Stephen Ostermiller over 7 yearsHow to control web page caching, across all browsers? seems to recommend only
Cache-Control: no-store, must-revalidate
and old versions of IE usePragma: no-cache
but there is one answer that says when using HTTPS thepragma
header causes Chrome 28 to fail. It looks pretty much impossible to satisfy all browsers with a single set of directives. -
MrWhite over 7 yearsFWIW...
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
(nomax-age:0
) would seem to be the default header that Apache sends for non-caching resources.