0

So I've been exploring the infrastructure of many websites again recently and started examining http response headers very closely.

After doing this for so long, I felt it was was very clear that if you were logged into a website, it could not display a cached main document page from Fastly while displaying dynamic content at the same time. Turns out, I was wrong.

The only way I can see this being possible is serving a cached page based off of some cookie (which I feel like I read somewhere that it's not secure, but tell me if I'm wrong)

Also, I understand that qz.com is a Javascript app, but I found this when I had Javascript disabled. When I had Javascript disabled and navigated around the website while signed it, it still showed an indicator that I was signed in. After disabling cookies, the sign-in indicator left.

While I was navigating to new pages after signing in, it looks like the cache is simply served based off of your cookie considering the age started at 0 after signing in and then went up. (I think it reset)

If that's not the case, can anyone give me insight as to how this could be done?

I've read this https://www.section.io/docs/modules/varnish-cache/how-tos/dynamic-caching/ and I'm betting that the answer is somewhere written in this doc/article.

Thank you!

nikolay
  • 49
  • 6

1 Answers1

1

Hole punching is indeed a very common way to divide your HTTP response into several fragments. These fragments are used to render non-cacheable data.

AJAX is a common hole punching technique, but it is done in Javascript.

Edge Side Includes (ESI) is the server-side alternative that is supported by Varnish.

Varnish also offers other mechanisms to perform stateful logic. I have a slide deck that describes various mechanisms to cache personalized data: https://speakerdeck.com/thijsferyn/caching-the-uncacheable-with-varnish-php-london-2020

Thijs Feryn
  • 3,982
  • 1
  • 5
  • 10