One of my readers, koshinbay13, has a few questions about coding a website to work for AOL users. After reading about AOL’s caching proxy servers, he’s looking for PHP code to prevent an AOL user’s cookies from getting passed to the next AOL users who show up on his site.
I can’t answer his PHP questions, but I’ve posted a response below to answer the rest of his questions as best as I can. Best answer from any of *you* gets posted to my “how-to” section as a permanent post with your name and website credited if you like.
In the meantime, I’d like anyone and everyone (especially if you’re a web dev! or if you work for AOL and have in-depth knowledge of proxy caching) to just throw in your two cents.
A few questions about caching on AOL…
Let us assume that Jeff, Sally, Bob, and Mary are all AOL users…(Firefox, IE, and Google Chrome browsers do not have this problem…at least when not AOL members.) Each of the four visit at random times and with varied number of pageviews per day. Sometimes, they are even on at the same time.
First, if any of them get internet through AOL as their ISP, the browser is forced into using the proxy settings no matter what options the browser thinks are set since AOL is the pipeline for all the data it will receive. Is there anyway around that?
Let’s say Jeff logs in first. A session is created in PHP using the standard automated session_start() function call before any output is sent. Since several HTTP requests are made to create the page, does AOL’s IP address switching through proxy cause separate sessions to be created. or lost? Does anyone know if the IP address itself is part of the session_start() “recipe” to generate the PHP session ID?
Assuming Jeff is successful at logging in in the first place and the session retains the ID it started with including session variables, and cookies are enabled on both my server and the Jeff’s browser, where are the cookies stored? Jeff’s PC, or globally on the AOL Proxy Server? I guess from your article and the other it is the proxy server…which is bad news for me…and “Jeff”. Are the PHP global session variables retained at all (based on the session ID status I suppose)?
Now, Jeff either leaves or stays on doing his business or reading the latest articles. Mary jumps on line (also using AOL) and goes to her pages (or tries to log in). Is she going to be logged in as Jeff because cookies are stored via proxy and not on their individual PC’s. If Jeff is still on and has a session started, does Mary automatically become part of his session? Would this then cause Jeff to become Mary as soon as she logs in? Would their attempts to log in be like a tug of war as they each cover the session and/or cookie values a few seconds after each other?
Sally logs in later…maybe. Will she also be logged in back and forth as herself, Jeff, and Mary? Does Bob inherit the same issue when he logs in even if Jeff has logged out? If Bob logs in and no one else is in at the same time to “interfere” with the session and cookie settings, will Jeff then see Bob’s info the next day when he logs in because Bob was the last value the session or cookie had? Since AOL is supposed to kill the session after they log out (of AOL, not my site), the session is likely destroyed. However, the cookie is still “in the jar” and fresh so that each user can be remembered when they return. Does AOL flush cookies automatically like the cache? And if cookies are stored on the Proxy Server, how does AOL know which user has which cookie? If it is on the proxy server(s), does this mean that my site can only store 30 cookies for all X users at one time?
My search revealed very little solutions to the problem, but was able to fine code to search if the user is browsing with AOL and sending a header to prevent caching. In my code, I plan to use this:
if(strpos($_SERVER['HTTP_USER_AGENT'], 'AOL') !== false )
{
header("Cache-Control: no-store, private, must-revalidate,
proxy-revalidate, post-check=0,
pre-check=0, max-age=0, s-maxage=0");
}I see how it should affect the caching of the page, but I do not think it changes cookies at all, or affects the session issues (if they exist).
Is there a way around this that will allow AOL users to keep their own cookies and retain session data while using a site? Or did they simply continue to plug their ears and close their eyes.
I realize this is a long post, but I wanted enough info to establish the problem and the right questions. Since Cookie use is somewhat subjective to the browser implementation (an understatement no doubt), has anyone found a solution to make it work correctly? Am I doing something wrong (for AOL) or mistaken?
OK, everyone, your turn….any thoughts?