20 Nov 2009
06 Sep 2011
Link to this post
We just discovered that somewhere between 4.0 and our upgrade to 4.1 and eventually 4.2, SF started applying output caching to all pages in the site. On v4.0 we had set up caching on only the pages that were safe to cache, and left caching turned off on secure or personalized pages where it was not possible. As a result of the new cache settings that were automatically applied, we just found out we had exposed users' data to other users on the site accessing the cached pages for the past couple of weeks.
Would have been nice if SF respected the cache settings that I had in place before the upgrade. If caching was not turned on for a given page, that meant I did not want to cache it, not that I didn't care whether it was cached or not. System-wide cache profiles sounds like a nice feature for new installations, but the repercussions on an existing installation are somewhat severe. Seems as though the feature should have been turned off by default, or smart enough to detect existing cache settings.
Please help me understand if I missed something somewhere in the upgrade process. It's entirely possible I missed a breaking change, or that we had something set up wrong to begin with.