I have a script in the /home/example/www/includes/ directory that is included (via PHP) on every page. This script reads a cookie, and then does a MySQL query based on the value of that cookie.
Every once in awhile I’ll have a server issue (sometimes a load spike, sometimes the /tmp directory gets full and cPanel crashes), and when that happens the script shows cached information instead of reading the cookie. This is a HUGE security issue! I might be logged in with my own username, but the data is shows is for a different user that just happened to get cached by CF!
Worse, after the server crisis is over, the problem doesn’t go away I even paused CF entirely, and the users are still experiencing the same issue.
My site is over 20 years old, and this problem only began when I started using Cloudflare.
Under Caching > Cache Rules, I have a rule set up to Bypass Cache when:
(starts_with(http.request.uri.path, “/cgi-bin”)) or
(starts_with(http.request.uri.path, “/includes”)) or
(starts_with(http.request.uri.path, “/chat”)) or
(http.request.uri.path contains “/cpanel/”) or
(starts_with(http.request.uri.path, “:2083”)) or
(starts_with(http.request.uri.query, “h=”)) or
(http.request.uri.query contains “&h=”)
When the user submits the form to log in, it originally plugged in the date and time from a PHP variable; eg,
$date = 20240317141414;
‘…&h=$date’;
I change it so that the number is created via JavaScript; eg,
‘…&h=’ + new Date().getTime();
The h parameter that’s ACTUALLY being sent by the user, though, is still the same number from 4 days ago. Meaning that /chat/ is being loaded from cache.
I’ve purged every variation I can think of (/chat, /chat/, /chat/index.php), but nothing has helped.
I also had the user add a dummy param, like so:
/chat/?z=1
but that also didn’t help.
I haven’t been able to duplicate it on my end, but several users have had the same problem. So I’m stuck troubleshooting based on what information they can give me :-/
I have turned off the proxy with Ezoic, but it didn’t help. At this point I have purged the cache for the site completely, I have paused Cloudflare, and I have it in Development Mode.
I’ve discovered another symptom of the same problem that might help to figure out the issue. I have a cookie set of:
user=GoNC
In Chrome, I’ve confirmed under Console > Application > Cookies that the only cookie that exists for “user” has the value of “GoNC”.
All of the PHP scripts have a line that looks like this:
echo $_COOKIE[‘user’];
This consistently shows another user’s username; NOT the expected value of “GoNC”.
Shift+F5 doesn’t help.
If I delete the cookie altogether, $_COOKIE[‘user’] is blank (as it should be). But then when I recreate the cookie, it goes back to the other user’s username instead of the value I’ve entered.
Mainly to help future users with the same problem, this DID end up being an issue with Ezoic!
They have a feature called “Leap” that includes “Cloud Caching”. I don’t know if it has any value when I already have Cloudflare, but it’s enabled on their end by default.
I even paused CF entirely, and the users are still experiencing the same issue.