Cache problems with FBOauth Module [#1779336]

I'm troubleshooting a problem with Facebook (FB) login on my site using the Facebook OAuth module.

Reproduction steps:

Be logged out of Facebook and my site
Log into my site using Facebook login button
Log out of my site (using site logout link). I'm still logged into FB
Use FB login button on my site to log in

I expected to end up at the home page logged in. Instead, I get redirected to the home page, but a cached version of it (so it appears I'm not logged in). Refreshing the browser causes the home page to reload logged in and I'm set from here.

The issue is the home page is being loaded from cache, but I'm not sure why. The site runs Drupal 7, Varnish, and the 7.x-1.5 version of the Facebook OAuth module.

Here are the headers from the initial FB login button click. Since I'm already logged into Facebook I'm redirected right away back to my site (this is expected).

Request URL:https://www.facebook.com/dialog/oauth?client_id=407390309287595&redirect...
Request Method:GET
Status Code:302 Found

Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:c_user=3413203; csm=2; datr=bq8bT_JILi0PrW8H9GZ5BMy6; fr=0MYU2YYrkDuegxlUi.AWVgxOkdsHe9zhvPJdDW7h70n48; lu=RgWtdyxDRmUr6dOIqyRyPhtg; s=Aa45lsbBS4F1Oll2.BQBsO2; xs=67%3AuZMhOYBden1YIw%3A2%3A1342620598; p=5; act=1342620710713%2F3%3A0; presence=EM342620710EuserFA23413203A2EstateFDutF0EsndF1EnotF0Et2F_5b_5dEuct2F134262011B0Elm2FnullEtrFnullEtwF2196532340EatF1342620710745Esb2F0CEchFDp_5f3413203F1CC; locale=en_US
Host:www.facebook.com
Referer:http://www.zujava.com/user/login
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Query String Parametersview URL encoded
client_id:407390309287595
redirect_uri:http://www.zujava.com/fboauth/connect
scope:email,user_about_me,user_website

Response Headers
Cache-Control:private, no-cache, no-store, must-revalidate
Connection:keep-alive
Content-Length:0
Content-Type:text/html; charset=utf-8
Date:Wed, 18 Jul 2012 14:18:46 GMT
Expires:Sat, 01 Jan 2000 00:00:00 GMT
Location:http://www.zujava.com/fboauth/connect?code=AQBbeDeOf-cd6HCy6GALaDqESzcfg...
P3P:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma:no-cache
Set-Cookie:locale=en_US; expires=Wed, 25-Jul-2012 14:18:46 GMT; path=/; domain=.facebook.com
X-Content-Type-Options:nosniff
X-FB-Debug:GPh2t018FPktnIalVO4RrxjZAQ3onlvvFyAEgI6g08U=
X-Frame-Options:DENY
X-XSS-Protection:0
Next are the headers that complete the FB login on my site's side. You can see the session cookie being created in the response headers:

Request URL:http://www.zujava.com/fboauth/connect?code=AQBbeDeOf-cd6HCy6GALaDqESzcfg...
Request Method:GET
Status Code:302 Moved Temporarily

Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:ctools-collapsible-state=views-ui-advanced-column-petting_zu_graduates%3A1%2Cviews-ui-advanced-column-newly_published_content%3A1%2Cviews-ui-advanced-column-test%3A1%2Cviews-ui-advanced-column-html_sitemap%3A1; Drupal.tableDrag.showWeight=0; __atuvc=31%7C25%2C4%7C26%2C0%7C27%2C5%7C28%2C5%7C29; has_js=1; __utma=249598093.1349651830.1327187978.1342578105.1342618991.600; __utmb=249598093.64.9.1342621126771; __utmc=249598093; __utmz=249598093.1341848548.567.26.utmcsr=facebook.com|utmccn=(referral)|utmcmd=referral|utmcct=/l.php
Host:www.zujava.com
Referer:http://www.zujava.com/user/login
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Query String Parametersview URL encoded
code:AQBbeDeOf-cd6HCy6GALaDqESzcfgTJNmh_i5iIx2IpG-KOWBTJHcylhigo82ZGR_X2SOJVzkwcvIKa7rD4dxcg2CLLDa3eZJMkDlP6D3UIU6c-iCFu_TZg6LkfLM4cOGKtu5HraaQUrLUPJd96hOsmpDuW9lzTLuBeMH4fwI7m7p3Jybig1GE06098OJCGuGos
URL fragment
#:_=_

Response Headers
Age:0
Connection:keep-alive
Content-Length:0
Date:Wed, 18 Jul 2012 14:18:47 GMT
Location:http://www.zujava.com/
Via:1.1 varnish
X-Pantheon-Edge-Server:10.183.199.123
X-Varnish:181771624
cache-control:no-cache, must-revalidate, post-check=0, pre-check=0
content-type:text/html
etag:"1342621126"
expires:Sun, 19 Nov 1978 05:00:00 GMT
last-modified:Wed, 18 Jul 2012 14:18:46 +0000
server:nginx/1.0.15
set-cookie:SESS650d63be2a9c0113cd1740e78b8184ed=961WQoY1iwAJSjEBiuglfI_TDsz3VA8BReyLK2wnz44; expires=Fri, 10-Aug-2012 17:52:07 GMT; path=/; domain=.zujava.com; HttpOnly
x-drupal-cache:MISS
The final home page request:

Request URL:http://www.zujava.com/#_=_
Request Method:GET
Status Code:200 OK (from cache)
URL fragment
#:_=_
I believe this indicates the home page is being loaded by the local browser cache, and no request is actually being made to the server. If so, I'm confused as to why. I assume the problem would be in how I'm telling browsers to cache the home page?

Here are the response headers for a logged out page load of the home page:

HTTP/1.1 200 OK
Server: nginx/1.0.15
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
x-drupal-cache: HIT
Etag: "1342622308-0"
Content-Language: en
x-generator: Drupal 7 (http://drupal.org)
Cache-Control: public, max-age=10800
Last-Modified: Wed, 18 Jul 2012 14:38:28 +0000
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Content-Encoding: gzip
Content-Length: 8686
Date: Wed, 18 Jul 2012 14:50:55 GMT
X-Varnish: 658648930 658583362
Age: 295
Via: 1.1 varnish
Connection: keep-alive
X-Pantheon-Edge-Server: 10.183.199.163
Any hints or ideas would be welcome.

Comments

Comment #1

heddn

English

Nicaragua

CreditAttribution: heddn commented 10 September 2012 at 14:40

This feels like more of an issue with your varnish config and not drupal's varnish module. I'd suggest looking at your vcl config first, specifically how you handle cookies and user sessions.

Comment #2

basik.drupal CreditAttribution: basik.drupal commented 11 September 2012 at 08:33

Thanks for the quick reply
you're probably right, I'm new to varnish but i took the "recommended" config from 4kitchens.
I would be grateful if you could look at this config and point out what am i missing.
Thanks in advance:

# Default backend definition.  Set this to point to your content
# server.
#
backend default {
  .host = "127.0.0.1";
  .port = "8080";
}
 
# Respond to incoming requests.
sub vcl_recv {
  # Use anonymous, cached pages if all backends are down.
  if (!req.backend.healthy) {
    unset req.http.Cookie;
  }
 
  # Allow the backend to serve up stale content if it is responding slowly.
  set req.grace = 6h;
 
  # Pipe these paths directly to Apache for streaming.
  if (req.url ~ "^/admin/content/backup_migrate/export") {
    return (pipe);
  }
  if (req.url ~ "^/plupload.*") {
    return (pipe);
  }
 
  # Do not cache these paths.
  if (req.url ~ "^/status\.php$" ||
      req.url ~ "^/update\.php$" ||
      req.url ~ "^/admin$" ||
      req.url ~ "^/admin/.*$" ||
      req.url ~ "^/flag/.*$" ||
      req.url ~ "^.*/ajax/.*$" ||
      req.url ~ "^.*/ahah/.*$") {
       return (pass);
  }

  if (req.url ~ "^/node/add/.*$" ||
      req.url ~ "^/node/.*/edit$" ||
      req.url ~ "/^event/.*$" ||
      req.url ~ ".*fbconnect.*" || 
      req.url ~ ".*facebook.*" || 
      req.url ~ ".*fblink.*") {
    return (pass);
  }
 
  # Do not allow outside access to cron.php or install.php.
  #if (req.url ~ "^/(cron|install)\.php$" && !client.ip ~ internal) {
    # Have Varnish throw the error directly.
  #  error 404 "Page not found.";
    # Use a custom error page that you've defined in Drupal at the path "404".
    # set req.url = "/404";
  #}
 
  # Always cache the following file types for all users. This list of extensions
  # appears twice, once here and again in vcl_fetch so make sure you edit both
  # and keep them equal.
  if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {
    unset req.http.Cookie;
  }
 
  # Remove all cookies that Drupal doesn't need to know about. We explicitly 
  # list the ones that Drupal does need, the SESS and NO_CACHE. If, after 
  # running this code we find that either of these two cookies remains, we 
  # will pass as the page cannot be cached.
  if (req.http.Cookie) {
    # 1. Append a semi-colon to the front of the cookie string.
    # 2. Remove all spaces that appear after semi-colons.
    # 3. Match the cookies we want to keep, adding the space we removed 
    #    previously back. (\1) is first matching group in the regsuball.
    # 4. Remove all other cookies, identifying them by the fact that they have
    #    no space after the preceding semi-colon.
    # 5. Remove all spaces and semi-colons from the beginning and end of the 
    #    cookie string. 
    set req.http.Cookie = ";" + req.http.Cookie;
    set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");    
    set req.http.Cookie = regsuball(req.http.Cookie, ";(SESS[a-z0-9]+|NO_CACHE)=", "; \1=");
    set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
    set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
 
    if (req.http.Cookie == "") {
      # If there are no remaining cookies, remove the cookie header. If there
      # aren't any cookie headers, Varnish's default behavior will be to cache
      # the page.
      unset req.http.Cookie;
    }
    else {
      # If there is any cookies left (a session or NO_CACHE cookie), do not
      # cache the page. Pass it on to Apache directly.
      return (pass);
    }
  }

  if (req.http.X-Forwarded-Proto == "https" ) {
    set req.http.X-Forwarded-Port = "443";
  } else {
    set req.http.X-Forwarded-Port = "80";
    set req.http.X-Forwarded-Proto = "http";
  }
}
 
# Set a header to track a cache HIT/MISS.
sub vcl_deliver {
  if (obj.hits > 0) {
    set resp.http.X-Varnish-Cache = "HIT";
  }
  else {
    set resp.http.X-Varnish-Cache = "MISS";
  }
}
 
# Code determining what to do when serving items from the Apache servers.
# beresp == Back-end response from the web server.
sub vcl_fetch {
  # We need this to cache 404s, 301s, 500s. Otherwise, depending on backend but 
  # definitely in Drupal's case these responses are not cacheable by default.
  if (beresp.status == 404 || beresp.status == 301 || beresp.status == 500) {
    set beresp.ttl = 10m;
  }
 
  # Don't allow static files to set cookies. 
  # (?i) denotes case insensitive in PCRE (perl compatible regular expressions).
  # This list of extensions appears twice, once here and again in vcl_recv so 
  # make sure you edit both and keep them equal.
  if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {
    unset beresp.http.set-cookie;
  }
 
  # Allow items to be stale if needed.
  set beresp.grace = 6h;
}
 
# In the event of an error, show friendlier messages.
sub vcl_error {
  # Redirect to some other URL in the case of a homepage failure.
  #if (req.url ~ "^/?$") {
  #  set obj.status = 302;
  #  set obj.http.Location = "http://backup.example.com/";
  #}
 
  # Otherwise redirect to the homepage, which will likely be in the cache.
  set obj.http.Content-Type = "text/html; charset=utf-8";
  synthetic {"
<html>
<head>
  <title>Page Unavailable</title>
  <style>
    body { background: #303030; text-align: center; color: white; }
    #page { border: 1px solid #CCC; width: 500px; margin: 100px auto 0; padding: 30px; background: #323232; }
    a, a:link, a:visited { color: #CCC; }
    .error { color: #222; }
  </style>
</head>
<body onload="setTimeout(function() { window.location = '/' }, 5000)">
  <div id="page">
    <h1 class="title">Page Unavailable</h1>
    <p>The page you requested is temporarily unavailable.</p>
    <p>We're redirecting you to the <a href="/">homepage</a> in 5 seconds.</p>
    <div class="error">(Error "} + obj.status + " " + obj.response + {")</div>
  </div>
</body>
</html>
"};
  return (deliver);
}

Comment #3

basik.drupal CreditAttribution: basik.drupal commented 6 October 2012 at 21:19

Anyone? Any advice regarding cookies and user sessions so i could work with FBOauth and cache?

Comment #4

heddn

English

Nicaragua

CreditAttribution: heddn commented 6 October 2012 at 22:50

Its a browser thing, not varnish. You need to set no-cache, etc in the HTTP headers so the browser will always refresh the page. Varnish should ignore these parameters and return a cached page. You'll need to do a quick google for the specifics on HTTP headers as I don't have the actual config in front of me.

Comment #5

heddn

English

Nicaragua

CreditAttribution: heddn commented 7 October 2012 at 01:46

Cache-Control:no-cache, no-store, must-revalidate

These can either be set in varnish, apache/nginx or in Drupal. In any case, they should only be set on pages where its valid to have a refresh as it will cause the browser to always call off to the server.