Minimal steps to reproduce:

1. Install Drupal core.
2. Go to admin/config/development/performance, turn on page caching and set the maximum expiration of cached pages to a nonzero number (e.g. a few minutes).
3. Log out and visit the home page using Safari (make sure to visit e.g. http://example.com rather than http://example.com/node).
4. Log in via the block on the left sidebar.
5. Click on the site logo which will take you back to e.g. http://example.com. Notice you will appear to be logged out.

If you refresh the page in your browser it will correctly show you as logged in again, though.

What's happening seems to be that Safari is having issues with the Cache-Control max-age setting combined with the Vary: Cookie setting and is serving pages from the browser cache when it shouldn't.

For more details and previous discussion, see: http://groups.drupal.org/node/191453

This is not reproducible with other browsers and is quite likely to be a Safari bug: https://bugs.webkit.org/show_bug.cgi?id=71509

However, it's possible Drupal is doing something wrong here, or at least there is something we could be doing in Drupal to work around it.... Anyone have any ideas?

Comments

damien tournoud’s picture

damien tournoud commented

This is fascinating. I could reproduce easily on Safari 6.0.2.

Re-reading the HTTP/1.1 specification, it doesn't seem that we are doing anything wrong here. I don't see a way of fixing that other then having either max-age=0 or must-revalidate (which would be the same for this particular purpose).

Andre-B’s picture

Andre-B
Primary language German
Location Offenburg, Germany
commented
Issue summary: View changes

a hotfix for running sites would be something like this (found here):

function mymodulename_init() {
  if (strpos($_SERVER['HTTP_USER_AGENT'], 'Safari')!==FALSE) {
    $default_headers = array(
      'Expires' => 'Sun, 19 Nov 1978 05:00:00 GMT',
      'Last-Modified' => gmdate(DATE_RFC1123, REQUEST_TIME),
      'Cache-Control' => 'no-cache, must-revalidate, post-check=0, pre-check=0',
      'ETag' => '"' . REQUEST_TIME . '"',
    );
    foreach($default_headers AS $k => $v) {
      drupal_add_http_header($k, $v);
    }
  }
}

Though I am not sure if those headers should be set on hook_init or only for hook_preprocess_page, the latter could not cover ajax calls if I understood the structure correctly.

Andre-B’s picture

Andre-B
Primary language German
Location Offenburg, Germany
commented

the solution mentioned in #2 does not work.

Andre-B’s picture

Andre-B
Primary language German
Location Offenburg, Germany
commented

I created a sandbox with a hotfix module that "fixes" this bug for safari users: https://drupal.org/sandbox/baumeierit/2207235

maximpodorov’s picture

maximpodorov commented

I have exactly the same problem. Is it possible to solve it?

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented

According to the latest WebKit release notes, WebKit will now respect Vary: Cookie https://webkit.org/blog/6640/release-notes-for-safari-technology-preview...

See the confirming tweet: https://twitter.com/anttikoivisto/status/745668331282309121

maximpodorov’s picture

maximpodorov commented

The outdated versions are still installed on Mac computers.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

j.b’s picture

j.b commented

Anyone having the same issue on Drupal 8 ?

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Active » Closed (outdated)

Safari 6 is EOL and the original bug is fixed: https://bugs.webkit.org/show_bug.cgi?id=71509

I am closing this as outdated as there is nothing to change in Drupal here.