Forum OpenACS Q&A: Proxy problems with log-in

Posted by Brad Ford on 06/20/03 06:16 PM

I finally resolved all of my problems with self-hosting a server over my cable modem as outlined in this thread (I'll eventually document what's required and how to configure so Joel can add it to the docs). It seems that most people that try can log in/register on it - www.physworx.com if you want to try. Here's the problem (and it affects my logging in on openacs.org as well): My office is behind a firewall which uses a proxy server (and I suspect that is where the problem lies). When I try to log in at physworx on the index page(located at home, directly connected to internet with a static ip), I get the login page expired screen. If I click on the login link from there, I end up at the login screen. Logging in there sometimes logs me in( and takes me back to the index page where I'm shown as logged out, yet I have access as if I'm logged in) and sometimes just refreshes the page with no error messages - yet logs me in without showing so. So now I'm logged in (although it only shows me as logged in when not on the index page) and am unable to log out using the log-out link on pages where it's visible. Confused? So am I. Would the caching of the proxy server cause these problems? Has anyone else seen these issues? BTW, I'm using MS IE6 and Mozilla Firebird and get the same problem on both (and have ie set to check for new versions of page on each visit).

2: Re: Proxy problems with log-in (response to 1)

Posted by Brad Ford on 06/20/03 06:20 PM

Sorry forgot the paragraph breaks...

Here's the problem (and it affects my logging in on openacs.org as well):

My office is behind a firewall which uses a proxy server (and I suspect that is where the problem lies). When I try to log in at physworx on the index page(located at home, directly connected to internet with a static ip), I get the login page expired screen. If I click on the login link from there, I end up at the login screen. Logging in there sometimes logs me in( and takes me back to the index page where I'm shown as logged out, yet I have access as if I'm logged in) and sometimes just refreshes the page with no error messages - yet logs me in without showing so. So now I'm logged in (although it only shows me as logged in when not on the index page) and am unable to log out using the log-out link on pages where it's visible. Confused? So am I. Would the caching of the proxy server cause these problems? Has anyone else seen these issues?

BTW, I'm using MS IE6 and Mozilla Firebird and get the same problem on both (and have ie set to check for new versions of page on each visit).

3: Re: Proxy problems with log-in (response to 1)

Posted by Tilmann Singer on 06/20/03 09:56 PM

Your problem might go away when the server sends out pragma: no-cache, cache-control and/or expires header. Accessing your server with wget -S reveals that no such headers are being sent currently.

I added some code recently that sends out these headers, but it's in cvs HEAD only and not in the oacs-4-6 branch that you are propably using. Check out the proc ad_http_cache_control and where it is called in acs-tcl/tcl/request-processor-procs.tcl, if you want to copy it over to your installation. A more quick and dirty solution would be to add calls like this to your default-master:

ns_set [ad_conn outputheaders] "Pragma" "no-cache"

4: Re: Proxy problems with log-in (response to 3)

Posted by russ m on 06/23/03 08:11 AM

Personally I use

ns_set put [ns_conn outputheaders] "Cache-Control" "private"
ns_set put [ns_conn outputheaders] "Pragma" "no-cache"

Pragma: no-cache says the page is totally non-cacheable, but Cache-Control: private tells sufficiently smart browsers that they may cache the page while shared caches (like your office firewall/proxy) should not...

5: Re: Proxy problems with log-in (response to 4)

Posted by Tilmann Singer on 06/23/03 04:56 PM

I think the way it is now on head is ok, since you wouldn't want to have a typical openacs page cached, even by non-shared caches, since it normally contains a "logged in as" and maybe other information that should always be displayed up to date.

It is very annoying when a user clicks on 'Log out' and after that still sees 'Logged in as X' in the header, which I presume would happen when using Cache-Control: private.

The headers openacs sends out by default can be turned off with a kernel parameter by the way, so you can easily roll your own.

6: Re: Proxy problems with log-in (response to 1)

Posted by Brad Ford on 06/23/03 07:28 PM

Thanks everyone!

I added the ns_set put [ns_conn outputheaders] "Pragma" "no-cache" as the first tcl call in default-master.tcl and all caching problems from my office are fixed!

Should a note be put in the install docs about this or possibly an edit to the release tarball default-master.tcl if this is a common-ish problem? It's also a problem on openacs.org.

I'm pretty new to later versions of openacs (haven't kept up with changes since learning the system in the v2 days of classic acs) - will the pragma no-cache option affect cached sql results? As I understand, many queries are set to cache for a certain time period to keep server loads down - or am I way off base here?

7: Re: Proxy problems with log-in (response to 6)

Posted by Tilmann Singer on 06/23/03 07:41 PM

Brad, this header and some others to prevent caching are automatically output in the 4.7 version of OpenACS. Maybe someone wants to merge that back to 4.6, but as a new feature it first went into the development branch.

I wouldn't recommend the quick and dirty fix of putting that in the default-master for the standard toolkit, since it won't affect pages that don't use the default master, e.g. the search results page.

And that has nothing to do with caching of query results, it's just an http thing.