We Keep Coding

Users Being Served Cached Pages of Other Users Accounts

I have a PHP script which includes a user panel. Inside this user panel there is some information such as their details, account balance, items assigned to their account.
While browsing through the user panel occasionally you will be randomly shown another users account page, but upon refresh it will go back to yours.
I originally thought that there was some sort of PHP session corruption going on, but I began logging all requests (IP of requestor + the user ID). From this I was able to determine that the PHP is never executed when another users account page is randomly/accidentally served. (There was never a log entry from my IP for the "random" account that showed up)
The website uses cloudflare, although I have added a page rule to disable caching for the entire client area.
I have added this which is output for every request made in the client area:
session_cache_limiter('private_no_expire:');
header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
header("Cache-Control: post-check=0, pre-check=0", false);
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past
header("Pragma: no-cache"); // HTTP/1.0
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
In my htaccess file I am using mod_expires with the following:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresByType text/html "access 0 seconds"
ExpiresDefault "access 1 month"
</IfModule>
At this point I have absolutely no idea what else I can do to prevent ISPs/Cloudflare from serving the cached version.
Does anyone have any ideas as to what could be causing a cached version of my user panel pages to be shown to users?
The response headers from an occasion where this has happened are bellow.
HTTP/2.0 200 OK
date: Wed, 27 Feb 2019 21:03:30 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Sat, 26 Jul 1997 05:00:00 GMT
pragma: no-cache
last-modified: Wed, 27 Feb 2019 21:03:29 GMT
vary: Accept-Encoding
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-nginx-cache-status: HIT
x-server-powered-by: Engintron
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4afd99361e6e3b14-YVR
content-encoding: br
X-Firefox-Spdy: h2

Turns out it was Nginx micro caching causing the issue.
Added this and it fixed the issue:
if ($host ~ "portal.domain.com") {
set $CACHE_BYPASS_FOR_DYNAMIC 1;
set $CACHE_BYPASS_FOR_STATIC 1;
}

can't cache static files using htaccess

I am new to caching and i am trying to test how files would be cached so i have created a simple php web page to test if i can cache the css file:
<!doctype html>
<head>
<link rel="stylesheet" href="style.css">
</head>
<body>
<h1 id="heading">Test</h1>
</body>
</html>
and i have created an htaccess file then added these lines from here
# ----------------------------------------------------------------------
# | Expires headers |
# ----------------------------------------------------------------------
# Serve resources with far-future expires headers.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://httpd.apache.org/docs/current/mod/mod_expires.html
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
# CSS
ExpiresByType text/css "access plus 1 year"
</IfModule>
then i tried to change style to check if it is cached but style changes on every load which means that there is no caching, then i thought my be it is the local server configurations so i moved to live one and agian still the same and it tested headers with this site
and i got this:
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Sun, 24 Sep 2017 13:02:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0
Expires: Sun, 24 Sep 2017 13:02:51 GMT
Vary: Accept-Encoding,User-Agent
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
EDIT:
I have found that mode_expires was not active on localhost and i enabled it but still facing the problem

try adding this part :
<IfModule mod_headers.c>
<FilesMatch "\.(ico|jpe?g|png|gif|swf|css|gz)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
<FilesMatch "\.(js)$">
Header set Cache-Control "max-age=2592000, private"
</FilesMatch>
<filesMatch "\.(html|htm)$">
Header set Cache-Control "max-age=7200, public"
</filesMatch>
# Disable caching for scripts and other dynamic files
<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
Header unset Cache-Control
</FilesMatch>
</IfModule>

PHP Caching Files (.htaccess)

I have the following code which I am using for my website. I would like to know if this code is correct in order for me to effectively cache me pages and files. I have tried to use tools to check this but some say they don't see that I am caching.
<ifModule mod_headers.c>
# 1 Month
<filesMatch ".(ico|gif|jpg|jpeg|png|pdf)$">
Header set Cache-Control "max-age=2419200"
</FilesMatch>
# 1 Week
<filesMatch ".(css|js)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
# 1 Day
<filesMatch ".(htm|html)$">
Header set Cache-Control "max-age=86400"
</FilesMatch>
</ifModule>

Catching is the automatic mechanism of the browsers. When a page is loading, browser checks the cache for static files like js, css, images..., if they are not available browser will pus them into cache.
To determine whether the file is cached or not, check the firebug console and clik on request link.
here you can see information like
Accept-Ranges bytes
Cache-Control max-age=290304000, public
Content-Encoding gzip
Content-Length 2824
Content-Type application/javascript
Date Thu, 11 Jul 2013 10:15:06 GMT
Expires Fri, 12 Jul 2013 10:15:06 GMT
Last-Modified Thu, 03 Jan 2013 16:05:54 GMT
Server Apache
Vary Accept-Encoding,User-Agent

apache caching js files

I've configured Apache under windows to enable cache like this
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule deflate_module modules/mod_deflate.so
ExpiresActive On
ExpiresDefault "access plus 3 days"
ExpiresByType image/x-icon "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
<IfModule mod_headers.c>
# YEAR
<FilesMatch "\.(ico|gif|jpg|jpeg|png|flv|pdf)$">
Header set Cache-Control "max-age=29030400"
</FilesMatch>
# WEEK
<FilesMatch "\.(js|css|swf)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
# 45 MIN
<FilesMatch "\.(html|htm|txt)$">
Header set Cache-Control "max-age=2700"
</FilesMatch>
</IfModule>
When I try to open js file directly in browser (to test) by refreshing again and again then each time I get response status 200 with Firebug. Its not sending status "304 Not Modified". Have u any idea how can I achieve this. Following is the output of Firebug headers.
Response Header
Date Sat, 13 Aug 2011 01:18:15 GMT
Server Apache/2.2.19 (Win32) PHP/5.3.6
Last-Modified Sat, 13 Aug 2011 01:18:15 GMT
Etag W/"100000000171d-34f08-4aa5f022d9780"
Accept-Ranges bytes
Content-Length 216840
Cache-Control max-age=604800
Expires Tue, 16 Aug 2011 01:18:15 GMT
Keep-Alive timeout=5, max=100
Connection Keep-Alive
Content-Type application/javascript
Request Header
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip, deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection keep-alive
Cookie PHPSESSID=5k947khv1j27itd7mtp5evtg07
If-Modified-Since Sat, 13 Aug 2011 01:03:42 GMT
If-None-Match W/"100000000171d-34f08-4aa5f022d9780"
Cache-Control max-age=0

The request contains a if-modified-since-header:
Sat, 13 Aug 2011 01:03:42 GMT
But the response contains a last-modified-header with a time later than that:
Sat, 13 Aug 2011 01:18:15 GMT
..so the file has to be loaded again.
Try unsetting the last-modified-header: http://www.askapache.com/htaccess/apache-speed-last-modified.html

PHP cache control - possible to avoid ANY connection to the same url from browser?

Is it possible to avoid any connections from the browser at all if first response headers were set properly?
/* Caching control */
$age = 3600*24*30; // 30 days
header('Expires: ' . gmdate('D, d M Y H:i:s ', time() + $age) . 'GMT');
I have tried to setup this, but the request is reaching the server anyway.
I have found this:
The Expires header has the advantage that it's easy to implement; in most cases, however, unless you're a highly organized person, you won't know exactly when a given page on your site will be updated. Since the browser will only contact the server after the page has expired, there's no way to tell browsers that the page they've cached is out of date. In addition, you also lose some knowledge of the traffic visiting your web site, since the browser will not make contact with the server when it requests a page that's been cached.
The question is, why does Expires header I mentioned above is not working?
** Request Headers **
GET /ru/templates/bannerpartial HTTP/1.1
Host: 192.168.1.3
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.12) Gecko/20101026 AlexaToolbar/alxf-1.54 Firefox/3.6.12 FirePHP/0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: bla-bla-bla
Cache-Control: max-age=0
** Response headers **
HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:48:26 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: ZDEDebuggerPresent=php,phtml,php3; path=/
Expires: Thu, 09 Dec 2010 16:48:26 GMT
Cache-Control: must-revalidate
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 118
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

It is simpler to use .htaccess file with these settings:
<ifModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 10 seconds"
ExpiresByType image/gif "access plus 31536000 seconds"
ExpiresByType image/jpeg "access plus 31536000 seconds"
ExpiresByType image/png "access plus 31536000 seconds"
ExpiresByType image/ico "access plus 86400 seconds"
ExpiresByType image/x-icon "access plus 86400 seconds"
ExpiresByType text/css "access plus 31536000 seconds"
ExpiresByType text/javascript "access plus 31536000 seconds"
ExpiresByType application/javascript "access plus 31536000 seconds"
ExpiresByType application/x-javascript "access plus 31536000 seconds"
ExpiresByType application/x-shockwave-flash "access plus 31536000 seconds"
<FilesMatch "\.(flv|gif|jpg|jpeg|png|ico)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
AddType image/vnd.microsoft.icon .ico
ExpiresByType image/vnd.microsoft.icon "access plus 1 months"
</ifModule>
If it doesn't work, uncomment the below line in Apache's httpd.conf file (most of the hosted servers enable this module by default):
LoadModule expires_module modules/mod_expires.so
Expires header works only if you click on a link or select the browser's URL bar and press the Enter key. If you press the reload button (or press F5), the browser ignores the expires header and reloads the contents.

Try cache-control: max-age. See this guide for details: http://www.mnot.net/cache_docs/