I'm on a roll. Two weird caching problems in the space of a week. This one started off looking like a scary security bug. During testing, our QA department observed the following sequence of events:
- Log into the system as user U1.
- View page P1
- Log out
- Log into the system as user U2.
- View page that re-directs to P1.
At this point, they were indeed on page P1, but it was showing the data from user U1. My first suspicion was that somehow browser cookies were not being cleared and we somehow managing to pick up the sessions cookies from the initial login. The fact that this problem only occurred with IE and not with FireFox did make me a little bit suspicious, but we have seen some differences between the way that FireFox and IE deal with cookies. Life was also complicated by the fact that some of the navigation in the above sequence of events was not simply the user clicking on links, but rather a Flash application issuing commands back to the browser to cause it to navigate to a new URL.
After a few false starts investigating our Flash application, we got out our network monitoring tool to see what was actually happening. We were quite surpised to find that when the incorrect version of P1 was being displayed, there was actually no network traffic. The user clicked on a button in Flash, the Flash code issued a request for the browser to navigate to page P1, and then the wrong version of P1 simply appeared on the browser.
After getting over the initial shock, it was obvious what was happening: IE was serving the page out of the local browser cache. I think this is an error on the part of IE. The cached page it was displaying was associated with a particular set of cookie values, and those cookie values had been cleared. Thus, IE was effectively ignoring the cookie values when retrieving the page from cache. Given that cookies are frequently used to store information about the identity of the user in a given session, this is obviously wrong. It results in behaviour exactly as we had observed: information from one session being erroneously displayed in different session.
The quick fix for the bug was to turn caching off for this page. We haven't done further experiments, but I wonder whether this is a general problem with IE's caching algorithm, or whether it is behaviour that is restricted to the situation in which Flash is driving the browser's navigation.