2 Replies - 1147 Views - Last Post: 04 June 2013 - 03:38 PM Rate Topic: -----

#1 adn258   User is offline

  • D.I.C Addict

Reputation: 12
  • View blog
  • Posts: 816
  • Joined: 31-August 11

Is Using PHP Caching And Login Sessions A Dangerous Combination?

Posted 24 April 2013 - 11:08 PM

So one things you can do to speed up sites of course that don't need updates often is use a cache storing the output buffer in an html file and loading just that html whilst updating that cache every so often. This keeps necessary pulls from the MYSQL database from being necessary.

Using something like so:


So correct me if I'm wrong, but if someone is logged into your website with a session this can cause loads of security problems if you're not careful thanks to the fact that you may be accidentally caching PRIVATE INFORMATION that people can later see in the cache of the person last logged into a session.

So essentially you have to be very careful to not cache ANYTHING FROM A USER IN SESSION. Is this correct? Thanks Guys!!

Is This A Good Question/Topic? 0
  • +

Replies To: Is Using PHP Caching And Login Sessions A Dangerous Combination?

#2 KingCuddles   User is offline

  • D.I.C Regular

Reputation: 176
  • View blog
  • Posts: 496
  • Joined: 20-December 08

Re: Is Using PHP Caching And Login Sessions A Dangerous Combination?

Posted 04 June 2013 - 05:11 AM

I would have a quick look at session security just to make sure you are not making any basic mistakes. Chris Shiflett has a great article on session hijacking.

I think what you mean though, is if you cache a user profile page when I am logged in, then you log in you would see my data? Normally when you cache something you would give it a unique key, in this case (at a basic level) you could use the users id to ensure that the cache is tied to an individual. There is an example below (using Memcahe) which shows roughly what I mean.

That said, I would think as long as your HTML isn't horrendous and you have good (clean/minified/cached) CSS/js the effort involved with caching HTML would not be worth your time.

I know I have used Smarty, Blade and Twig (templating languages) extensively and I am fairly sure they all do some sort of caching out of the box.

So what I would do is focus on caching heavy SQL queries, so if your user queries are huge you could using Memcache(d) to do:

// Obviously validate your user is logged in and all that good stuff up here

// See if the data is cached
if ($memcahce->get($user_id) != false)
  // In which case use what we have in the cache
  $data = $memcahce->get($user_id);
// Data not cached!
  // Run our monster user query
  $data = $database->getUser();

  // Cache the results for later
  $memcache->set($user_id, $data, MEMCACHE_COMPRESSED, $cachePeriod);

// Use $data...

Obviously this is a ridiculously simple example, but it should make sense.

As Atli points out below, it is probably not worth caching your users control panel, I should have made that clearer :)/>

This post has been edited by KingCuddles: 05 June 2013 - 01:58 AM

Was This Post Helpful? 1
  • +
  • -

#3 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4240
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Is Using PHP Caching And Login Sessions A Dangerous Combination?

Posted 04 June 2013 - 03:38 PM

Caching only has a point if you are caching frequently accessed information. Caching things like user control panels is absolutely pointless; that info is never going to be accessed frequently enough for caching to make any difference. Whatever method you are employing to cache the HTML, whether it's some simple home-made solution or something as advanced as things like Varnish, you need to add a way to flag pages as non-cacheable. Set a header or something on pages that shouldn't be cached and make your cache ignore those pages.

But anyway, KingCuddles makes a good point. Caching the HTML is probably not going to make the biggest difference as far as caching goes. There are other things you want to cache as well. First of all, if you don't have this set up already, you want to set up APC (or something equivalent.) Caching the PHP byte-code can make a huge difference on PHP execution times. APC also comes with an in-memory caching API that you can use to cache things like query results, in much the same way the Memcache example KingCuddles posted does.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1