You can’t have your cookie and cache it too

I recently discovered a poorly documented (in fact I couldn’t find any documentation about it) side effect of writing server-side cookies.  They cause outputcaching not to work, and they do so in a nonobvious way. 

If your outputcache directive looks like this:

<%@ OutputCache Duration="100" VaryByParam="none" location="Any" %>



But somewhere in your page you have code that looks like:

Response.Cookies["user"]["value"] = "something";



The page will not be cached.  Sure, it’ll have the public cache-control/expires headers, but the value will always be 100 (duration), and it won’t be cached by IIS.  There won’t be any errors or warnings, it simply won’t cache properly.  In our case it was even less obvious because the cookie writing code had been written a long time ago in a base page, and was only triggered on certain pages with certain querystring parameters.  Even when I discovered pages that I had assumed to be cached were not, I saw the cookie but dismissed it because I mistakenly assumed the effect would be the other way around.  I assumed that a cookie on a cached page simply wouldn’t work right, the first request would write cookie and then every user thereafter would receive the cached page with the cached cookie value effectively giving everyone the same cookie.  You know what the say about assumptions.


After wasting a lot of time with the Failed Request Tracing, which proved impossible to decipher, I cycled back to my suspicious cookie logic.  Once I removed the cookie logic, caching behaved normally.  A quick audit uncovered a second place where some old rudimentary tracking logic was also writing cookies with a similar effect on caching. 


If you’re combining outputcaching with writing cookies on the server-side I’d suggest taking another look.


 



Technorati Tags: ,

Comments

Post a Comment

Popular posts from this blog

RIF Notes #42

“In practice, problems are delegated but the power to address them is not.” - Maslach & Leiter Building the Object Model You Want with Entity Framework How you can improve your SQL with code analysis in SQL Prompt A growing number of young Americans are leaving desk jobs to farm – This is a head scratcher. Macro trends in the tech industry Technology Radar Vol 17 Essential .NET - C# 7.0: Tuples Explained – “What many folks didn’t realize when it was first introduced is that the new C# 7.0 tuple all but replaces anonymous types—and provides additional functionality.” Editor's Note – Misprint – “Any IT manager can regale you with stories of undiagnosable printer failures, but even at the home-office level printing is an exercise in fail” .NET Standard - Demystifying .NET Core and .NET Standard Devops - Continuous Data Migration Using Visual Studio and TFS
Read more

RIF Notes #4

“It is better to be feared than loved, if you cannot be both” – Machiavelli “A well-stated problem is half-solved” – John Dewey jsFiddle - Cool javascript testing tool Modernizr - Modernizr is a small and simple JavaScript library that helps you take advantage of emerging web technologies (CSS3, HTML 5) while still maintaining a fine level of control over older browsers that may not yet support these new technologies. Why We’re Going With HTML(5) Instead Of Silverlight – More on the debate between Silverlight and HTML5.  A year ago I would have said Silverlight, hands down, for LOB development, now its not quite as clear.  At least not if your users need to access your apps from their iPads and Droids. Bootstrapped, Profitable, & Proud: Braintree – Braintree Payment Technologies was the first company I contacted when I first started investigating credit card tokenization a few years back.  Remote Desktop Protocol (RDP) -- Technical Analysis - Matt found this article, for an
Read more

The greatest trick the AI ever pulled was convincing the world it wasn't THAT intelligent

Just listened to The AI Dilemma and it definitely elaborated on and articulated some of my own concerns, as did the news of OpenAI plugins. The synthesis of concern is: AI doesn't need to be that powerful to be destructive and destabilizing (e.g. social media algorithms) to people and society. These new LLM's are already much more powerful than social media algorithms. Many of the new LLM capabilities are emergent and poorly understood. The experts designing these systems don't fully understand them, and some of whom are already worried about what they've created. LLM's are being rapidly and recklessly deployed very broadly across society, in an arms race. The strongest argument against worry is that these LLM's aren't really intelligent, are really just a super-autocomplete that enables automating mundane tasks via natural language. But I don't think any of the companies developing or deploying these things are arguing that. Even if they were, see #1 &
Read more