5
Over the past 3 months, I've had two instances when I visited stackoverflow.com only to discover myself logged in as a completely different user. This seems to have happened to others as well. In that question, the answerer writes:
your ISP illegaly responded to your request(s) with content it had previously requested on behalf of a different user
And indeed, that user is sharing the same ISP with me. There's no doubt there's some very serious privacy issue here - specifically, I was able to access that user's account page and see his personal details (such as e-mail), and if it happens one way, I wouldn't be surprised if that user is occasionally logged-in as me and can see my personal details.
That answer, however, writes that my ISP is doing something illegal. Is my ISP actually doing something wrong here, or is such "overzealous" caching permissible under whatever protocols govern this? Is it ultimately the website's (stackoverflow's) fault for not supporting encryption (https) for displaying sensitive pages with sensitive user information?
And if my ISP is indeed in the wrong here, is there any way I can produce some sort of incriminating report next time it happens, so I will have something concrete to send them to complain, or send the press if they ignore me? I should note that during the two times it had happened, subsequent requests did not always fix the situation, the "returning bad page" thing seemed to have lasted a few minutes.
Would you mind being more specific about the RFCs being violated? – Oak – 2012-05-02T20:25:22.387
@Oak: RFC2616 "The Cache-Control general-header field is used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain."
– RedGrittyBrick – 2012-05-02T20:46:59.077Thanks! Actually it seems that stackoverflow's response is marked
public, max-age=120
, and according to that RFC, pages markedpublic
can indeed be cached and are not specific to a single user... – Oak – 2012-05-02T21:05:23.103@Oak: Some of the many responses that go to complete a Superuser web page are "public", but I believe some are "private" (based on a short examination using Wireshark - but Superuser pages are fairly complex) e.g. "GET /posts/419790/ivc/6134?_=1338987622151 HTTP/1.1" response: "Cache-Control: private" – RedGrittyBrick – 2012-05-02T21:13:24.380
Looks like what my ISP is not respecting is the
Vary
field, also defined in that RFC. Thanks for the help! – Oak – 2012-05-02T22:48:14.997