2 months ago
My application allows users to login via discord oauth and in doing so an account gets created for them on the website to manage their website profile, now I turned on the new cdn cache option for my project's domain and now users complained of being logged in as other users and others got logged out. We think it's a visual bug but when I turned it off the issue went away. What could be causing this? For context it's a Next JS application
28 Replies
2 months ago
do you use server side props for session data?
We’re on Next.js App Router, not the Pages Router so we don’t use getServerSideProps for session. Session comes from an HttpOnly cookie, resolved on the server via cookies() + API fetch (cache: "no-store") and on the client via /api/session (forced dynamic + no-store headers)
our next.config.js has Cache-Control: public, max-age=300, must-revalidate
Could this be making it so one user’s full page (HTML + RSC payload) is being served to another?
2 months ago
Railway says they don't cache the HTML but maybe the RSC is to blame? I don't know enough about NextJS to confidently answer that though
2 months ago
Tell me more about this RSC payload.
2 months ago
But yes, we explicitly never cache text/html
For now i removed the global cache from next config and so far no complaints about people being visually logged in as someone else hmmm but still monitoring
2 months ago
What is the mime type of the RSC requests, or really any mime type for responses that contain user data.
For session data it's application/json which contains the user data for that user logged in
2 months ago
What specfic Cache-Control values do you set for the json content?
2 months ago
Just what you sent above? public, max-age=300, must-revalidate
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: 0```
from the `/api/session` that returns that jsonpublic, max-age=300, must-revalidate was an old global header but I removed.
2 months ago
So at the time of opening this thread, public, max-age=300, must-revalidate were the only values for cache control?
2 months ago
Then that allows caching of the JSON, so the CDN was doing what it was told, unless I am misunderstanding?
2 months ago
You explicitly disable that now, so you should be good to re-enable, we will respect no-store and no-cache.
The /api/session file had no-store headers but then the global one had a 5 min cache, so the file specific headers don't get respected but instead the global one?
2 months ago
What headers prevail would be something you would need to look into on your end.
2 months ago
Have you since re-enabled the CDN?
Yes I had re-enabled it here after I removed that global 5m cache header https://discord.com/channels/713503345364697088/1487226044053458944/1487513163426697246
2 months ago
Sounds good, then am I good to solve?
2 months ago
<:salute:1137099685417451530>
Status changed to Solved brody • about 2 months ago