Logged in state inconsistent with APO WordPress

My WordPress website allows for users to register and log in. When APO is enabled in the WordPress plugin, my site’s speed is great, but issues arise with the login state being inconsistent.

For example, I’ve ran into the following issues:

  • After login and redirect to the homepage, the users is not logged in until a hard refresh.
  • When the users is logged in and browses to a page they previously visited while not being logged in, they will be shown the not-logged-in version of the page.

Reading through what others have said about APO, I’m lead to believe that Cloudflare automatically bypasses the cache for certain WordPress login cookies, however, this does not seem to be the case in my experience.

My ideal scenario is this:

  • Logged out users are shown cached pages
  • Logged in users are not shown cached pages

I’m on a Pro Cloudflare plan. Any suggestions to why this is not working as expected?

If a forced refresh solves the problem, it should be caused by browser cache, not by Cloudflare’s edge cache.

Do you see any cache-control headers in your html files?

1 Like

Hi Laudrian, thanks for your response!

I just checked my cache-control headers in every scenario. Do you see anything that could be causing this?

APO Enabled:

  • Logged in: no-cache, must-revalidate, max-age=0, no-store, private
  • Logged out: max-age=14400
  • Logged out to Logged in on redirect to homepage: max-age=14400 (and page appears logged-out)
  • Logged in but is page showing logged out, then refresh page: no-cache, must-revalidate, max-age=0, no-store, private

APO Disabled:

  • Logged out: no cache-control header
  • Logged in: no-cache, must-revalidate, max-age=0, no-store, private
  • Other two states from “APO Enabled” have no issues with this setting.

How is that supposed to work? When you are logged in and navigate to a site that is in the browser cache, it will load the site from cache.

Did you add these headers manually?

Either don’t cache html in browsers or use the vary header to make sure the cache is skipped if a cookie is present.

1 Like

Hi Laudian,

It turns out I still had the “Browser Cache TTL” setting in Cloudflare enabled and set to 4 hours (14400 seconds)

Once I set this to “Respect Existing Headers”, the APO settings seemingly started working properly.

Thank you for pointing me in the right direction!

It seems I may have been too quick to judge. Logged in users are still getting a “HIT” response from Cloudflare if they do this:

  • Visit a page
  • Log in → Homepage shows they are logged in
  • Browse back to that page → Page is shows user is logged out (Cloudflare cache HIT)
  • Refresh page → Page shows user is logged in

Will do some more testing to see if I can find out what’s causing this.

Have you tested this in a private browser window?

For sites that are already cached by your user’s browsers, you’ll have to wait until the max-age has expired. Or every users needs to clear their browser cache.


I did all tests in a private browser window.

I think the issue might’ve been that my pages did not have a cache-control header set at all once I changed the “Browser Cache TTL” setting in Cloudflare.

I’ve manually added “no-cache, must-revalidate, max-age=0, no-store, private” to my NGINX configuration, and so far it’s looking good.

Will update if I run into any issues again, but if not, then my above solutions seemed to work!

I had what I think is the same issue that you had, which I posted about here: Signed In users seeing signed out version of page they had previously viewed before signing in

My “fix” was the following in my child theme function.php:

    if ( !is_user_logged_in() ) {
		header( 'Cache-Control: max-age=2592000, must-revalidate, public' );
	} else {
        header( 'Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private' );
    //this should force a difference between signed in and signed out users so that once signed in, browsers know to look for a fresh page so that
    //logged-out version of page does not appear for a signed in user that goes back to the same page they had previously visited before logging in
    header( 'Vary: Cookie', false ); // Added Vary: Cookie header (but don't replace other Vary headers if present).

This mostly works, although my html cache hit rate is still not as high as it should be since I had to add the Vary header.

It’s strange as I thought APO documentation suggests that cookies with wp- are looked for and used to know when to not serve a cached version of the page.