This project is read-only.

ContribCache and Authenticated users

Topics: Customizing Orchard
Jul 18, 2013 at 11:51 AM

In Contrib.Cache.Filters.OutputCacheFilter there is some code to stop caching when the user is logged in.
            // don't return any cached content, or cache any content, if the user is authenticated
            if (_workContext.CurrentUser != null) {
                Logger.Debug("Request ignored on Authenticated user");
We have a scenario where we would like to cache when the user is logged in. No dynamic or "personal" elements will be loaded by the page, all these will be handled with async js loads after the page has been delivered to the client.

My question is - can I safely remove this check or is there some underlying performance/architectural reason for it being in place?

I think I'm mostly aiming this question at Sebastian, but anyone else who knows the module well or has dealt with it could probably help.


Jul 19, 2013 at 2:21 AM
The issue is that this makes it extremely likely for secret/private information to be sent to another user than the one the output was cached for. If you need your users to be authenticated, chances are that you're going to have some user-specific content rendered (otherwise, what's the point?). If you cache that, the next user will get the cached version, with the content of the other user.

To do authenticated caching, you need to:
  • be extremely careful
  • have doughnut caching, or vary by user
Varying by user can be expensive and not quite as efficient as you'll have one cached version of each page, per user.
Jul 19, 2013 at 8:21 AM
Ok, thanks for that Bertrand - I just wanted to check that this was the only (very good) reason behind this. We have several key authenticated pages that are going to get hit quite hard, and we can ajax load all the per user stuff. Yes - we will need to review our app carefully, and ensure our caching is not applied to any page we have not specifically reviewed as fit for purpose.

Many thanks,

Jul 24, 2013 at 4:36 AM
Edited Jul 24, 2013 at 7:28 AM
It is now OutputCache but same module and same policy concerning non caching authenticated users.

Problem with this policy is that after a user has authenticated, he keeps its status even when browsing common pages and this has a cost for the site and user experience.
it should exist a page option saying: also cache auth users..
Jul 25, 2013 at 9:02 PM
Did you read what I wrote above? We understand that authenticated caching is desirable.
Jul 27, 2013 at 10:03 AM
I was considering adding the options within the UI in admin on a route by route basis, but I think our dev time before live has run out :)