Set-Cookie header is omitted in not modified response served by cache middleware

Issue #5 resolved
Anonymous created an issue

In applications served out from cache there might be a case when auth cookie is not delivered to browser since the newly generated response is not modified per HTTP_IF_NONE_MATCH or HTTP_IF_MODIFIED_SINCE. This cause auth cookie to expire. As a result a browser is redirected to a page with status code 401 (unauthorized).

Comments (3)

  1. Andriy Kornatskyy repo owner

    Here is a recommendtion on how to properly select auth cookie lifetime based on a page lifetime in cache.

    Page 2               o-----------x---o
                         ^
                         |
    Page 1 o-------------x---o--o----x---------------o--------->
           t0            t1  t2 t3   t4              t5    time
    

    The user interaction starts at t0 which generate auth cookie and put Page 1 into cache up until t2. The auth cookie lifetime is up to t5 and needs to be renewer somewhere after t3. At t1 user navigates to Page 2 that goes to cache (cookie is not renewed). If user at t4 navigates to an expired or a new page the auth cookie will be renewed. If user idle any iteraction belyond t5 the auth cookie will not take any chance to be renewed.

    The rule for auth cookie lifetime depending on max age in cache can be formulated as following:

    auth cookie life time > (2 * lifetime in cache) + average user idle time

    The user session idle time for more than a half of auth cookie lifetime might cause auth cookie to expire.

  2. Log in to comment