问题
I'm running Firefox 61.0 on Arch Linux. When viewing the source of a page, I frequently (but not always, estimated 20% of the time) see the source code of the login page when I'm browsing a website that requires me to log in. This happens when I'm browsing localhost. The source code of each page is generated on the server, this is not a problem with the DOM being manipulated. It happens using Django as well as PHP. Example:
LOGIN PAGE:
<html>
<title>Login</title>
<body>
Login please: [ ]
</body>
</html>
HOME PAGE:
<html>
<title>Welcome USER NAME</title>
<body>
Good day, USER
</body>
</html>
After I have logged in and I am on the homepage, I hit CTRL+U, it will show me:
<html>
<title>Login</title>
<body>
You are logged in as USER
</body>
</html>
In other words, it isn't taking the previous page from its cache; it seems to somehow try and fetch the source code of the page I'm on but it is redirected to the login page.
NOTE: if I run INSPECT ELEMENT on the page then I do see the right source code. The problem is only with VIEW SOURCE. This does NOT happen in Chrome or other browsers, just in Firefox.
Any idea why this could happen?
To clarify: these are two different pages. The login page is login.php and the home page is index.php. When I CTRL+U on index.php, Firefox shows me the source code of login.php, even though I am already logged in.
回答1:
Apparently, this has always been an issue with Firefox's "view source". Here's a bug that was reported 13 years ago describing the process by which Firefox loads the page's source code by refreshing/re-requesting the whole page.
It is possible that an uncached version of the page is being downloaded, and thus, showing different results for the debugger and the source. It all depend's on how the login data is being handled (cookies, session variables, server variables, etc.)
Here's another Steckoverflow question on a related topic. I hope this can give you an idea on how to solve the issue you're having.
回答2:
I had the same issue. In current FF68 it is an option in the preferences in the dev tools. This has to be unchecked to send your cached login cookie.
回答3:
The login process is changing the html in the page. Quite often, in a login scenario, this is done with a form. But the general idea is to give you access to something once you've logged in. This can mean new information in the same page. It's the same one as the home (perhaps) or login page. The back end process checks the login information and then, if it matches, will send new html to replace the html in the page. There is more than one way to do it and more than one idea regarding what a website provides as a result of logging in. For example, I built a website with login that - once someone is logged in - their order forms are filled out automatically. They can also change their profile information. But the page doesn't change. I've also built pages that totally replace the html with a new page that allows access to whatever the registered user is allowed to access.
回答4:
I've seen this behavior as well and it happens when applications (server-side) don't properly handle caching.
What might happen is that your index.php redirects non-logged-in users to login.php. Combine this with a hit on index.php page that includes itself as a resource (eg. in an image or xmlHttpRequest) without supplying credentials and your application redirects the browser (for this resource) to login.php. This second hit (for the resource with same URL as the page, no proper credentials and a response with incorrect headers) will overwrite the first in your browser cache, making your browser display the second response (redirect to login.php), not the first (actual index.php) when you view source.
I hope this is clear, otherwise I'll try to add an example. You can use external tools such as redbot to check cacheability of the index page (check both with and without credentials). Also, if you use the developer-console (network-tab) you should enable 'Persist Logs' and verify the requested URLs and their cache status.
Alternatively, if this is a web-application you control, check for any Cache-Control and Last-Modified headers being send in the application.
来源:https://stackoverflow.com/questions/51228872/firefox-view-source-shows-login-page