Why is Chrome caching my login page?

cache google-chrome cache-control

6,989

no-cache is not as strong as no-store. Chrome's documentation indicates that no-cache indicates a re-usable document, while no-store indicates that it should not be re-used.

Based on this information, your Cache-Control header should simply be:

Cache-Control: no-store

The extra values in it may be letting Chrome pick and choose which it would like to honor.

6,989

GaryBishop

Updated on September 18, 2022

Comments

GaryBishop over 1 year
Our literacy web site for kids with disabilities is causing some users issues with logging in. You can visit the site at http://tarheelreader.org/. If you login at https://tarheelreader.org/login/, and then go to the login page again you should see a logout message. But Chrome caches the page and returns the original login page instead. The headers are:
```
Cache-Control:no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Content-Encoding:gzip
Content-Type:text/html; charset=UTF-8
Date:Thu, 26 Jan 2017 22:55:55 GMT
Expires:Wed, 11 Jan 1984 05:00:00 GMT
Link:<https://tarheelreader.org/?p=110663>; rel=shortlink
Pragma:no-cache
Server:nginx
Vary:Accept-Encoding
X-UA_Compatible:IE=edge,chrome=1
```
Which are about every way I could find to say don't cache this page. But the network tab in the debugger shows the page coming from disk cache. If I disable the cache with the checkbox in the debugger things work as they should.

Update If I set the sandbox version of the site to use HTTPS only the problem goes away. Maybe it is something about the switching from HTTP to HTTPS and back?
- MrWhite over 7 years
  
  I see the cached response too, not sure why as yet. However, you also have a funny redirect going on... if I try to access https://tarheelreader.org/login (as in your link), without a trailing slash, then I get a 302 redirect to the http://... URL! Only if you include the trailing slash does it appear to behave correctly.
- GaryBishop over 7 years
  
  Fixed in the post. And thanks for looking. I can enable you to login if you need it.
Stephen Ostermiller over 7 years

IE6 doesn't know about no-store. You could set a different Cache-Control header for IE6 using user-agent sniffing. Alternately, you could have a separate page for logout, or pass a parameter to your login page (even a dummy parameter).
GaryBishop over 7 years

You are correct. Changing the Cache-Control to no-store and it works perfectly in Chrome.
GaryBishop over 7 years

No, I spoke too soon. The change doesn't fix it on Windows 10. Same behavior
Stephen Ostermiller over 7 years

How to control web page caching, across all browsers? seems to recommend only Cache-Control: no-store, must-revalidate and old versions of IE use Pragma: no-cache but there is one answer that says when using HTTPS the pragma header causes Chrome 28 to fail. It looks pretty much impossible to satisfy all browsers with a single set of directives.
MrWhite over 7 years

FWIW... Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0 (no max-age:0) would seem to be the default header that Apache sends for non-caching resources.