Django session gets confused behind proxy, already logged in

Currently we're having some issues with a user of our product who uses a proxy on their internal n开发者_运维知识库etwork.

According to their system administrator the proxy is open to port 80 and 443, and doesn't do anything with cookies and such, only blocks out some sites.

The problem: when user X logs in to our application, user Y also gets logged in on a computer who didn't use out application before (but is behind the same proxy)?! This shouldn't be possible (django default auth app is used)?

We're using is Apache, Nginx, Django 1.0 and Postgresql. Also note that it does work when ran with runserver, but not with nginx.

This only occurs with this user with the proxy, on other networks, it does work.

Anyone experienced this before? If so, how'd you solve it?

Thanks in advance!

Stefan

This might be a problem with the cache related headers sent out, for example Cache-Control. By default, nothing stops a proxy from caching pages served to logged-in users. By sending Cache-Control: private or Cache-Control: max-age=0, you tell the proxy not to cache the page at all, which is needed for private pages.

You can control this with the cache_page decorator per-view, or by setting CACHE_MIDDLEWARE_ANONYMOUS_ONLY=True to completely disable caching for logged-in users. Of course, this can slow down your page, depending on how complex it is. In that case, you might want to look into doing more fine-grained caching.