Make WordPress Core

Opened 2 months ago

Last modified 11 days ago

#61711 new defect (bug)

Password-protected pages lacking appropriate 'Cache-Control' request header

Reported by: brevilo's profile brevilo Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 2.0.5
Component: Security Keywords:
Focuses: Cc:

Description

Over the years there have been recurring reports of users having issues with password-protected pages which simply redirected to the password prompt again, instead of the actually protected page (after successful login), e.g.:

The tickets got closed with "worksforme" and the discussions kept looking at the WP config, plugins or client-side issues, but so far without reliable solutions. Since I myself ran into the same problem as so many others before, I now analyzed it and found the (well, at least a) culprit.

I narrowed it down to be a caching problem at my hosting provider, seemingly using Nginx as a caching reverse-proxy! This could also explain the "worksforme" closures above: if your provider doesn't use such caching (or a CDN for that matter), you won't reproduce it.

In my case the response headers (after the successful) redirect contained:
X-Cache-Status: HIT (see this FAQ)

As a workround I now send the appropriate header tailored for this situation, as part of my theme:

<?php
header('Cache-Control: private');

For me, and probably a lot of others (reverse-proxy caching or CDNs are widely used) the solution would be to do this for all password-protected pages. Remember that header() must be called before any actual output is sent.

Thanks

Change History (3)

#1 @brevilo
2 months ago

Here's one of many examples where troubled users switched their provider and the problem was gone. To me this also hints at a reverse-proxy setup. This could really positively affect as lot of installations, I reckon.

Version 0, edited 2 months ago by brevilo (next)

#2 @brevilo
8 weeks ago

  • Component changed from General to Security

#3 @hellofromTonya
11 days ago

  • Version changed from 6.6 to 2.0.5

Changing the Version from 6.6 to 2.0.5.

Note: See TracTickets for help on using tickets.