User logging as another on our platform

Hi, I’m not even sure if is a problem with Cloudflare caching but maybe someone can help me shed a light on an issue we had some months ago. I’ve been investigating and trying to close this issue before moving forward with some other security walls because I want to be sure of what was the problem to prevent from happening again.

Our platform is a single page application built with React + Express and one Ruby on Rails backend. Users authenticate and get a JSON Web Token that is stored as a cookie and sent in the Header for every request.
One day a user contacted us saying that after the signup he was seeing another user’s dashboard and I investigated to see if the backend sent an incorrect JWT and this scenario seems less likely to happen.
So other hypothesis is that something is being cached.

The API responses are configured to not be cached (Cache-Control: private, no-store) so I’m trying to understand if the frontend pages are somehow ending up cached at some level.
By that time, the CF settings to cache were standard and there wasn’t any bypass rule.
We had another similar incident then I set one rule to bypass cache on every page and it seems to be working, but, I can’t be 100%. Worst bugs are these that happens “sometimes”.

  • We have an average of 5K pageviews and at least 3 users reported this happening before the bypass cache; It wasn’t happening to all… why?
  • The cache everything feature was not activated, if I turn on it caches all HTML, but with that turned off, shouldn’t CF just cache other static assets, images, JS, css ?
  • Anyone with a similar architecture had been through this issue?

This topic was automatically closed after 14 days. New replies are no longer allowed.