Our literacy web site for kids with disabilities is causing some users issues with logging in. You can visit the site at
http://tarheelreader.org/. If you login at
https://tarheelreader.org/login/, and then go to the login page again you should see a logout message. But Chrome caches the page and returns the original login page instead. The headers are:
Cache-Control:no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Content-Encoding:gzip Content-Type:text/html; charset=UTF-8 Date:Thu, 26 Jan 2017 22:55:55 GMT Expires:Wed, 11 Jan 1984 05:00:00 GMT Link:<https://tarheelreader.org/?p=110663>; rel=shortlink Pragma:no-cache Server:nginx Vary:Accept-Encoding X-UA_Compatible:IE=edge,chrome=1
Which are about every way I could find to say don't cache this page. But the network tab in the debugger shows the page coming from disk cache. If I disable the cache with the checkbox in the debugger things work as they should.
Update If I set the sandbox version of the site to use HTTPS only the problem goes away. Maybe it is something about the switching from HTTP to HTTPS and back?
no-cache is not as strong as
no-store. Chrome's documentation indicates that
no-cache indicates a re-usable document, while
no-store indicates that it should not be re-used.
Based on this information, your
Cache-Control header should simply be:
The extra values in it may be letting Chrome pick and choose which it would like to honor.