Recently one of our customers came to us with an urgent problem to fix. They have a Drupal website with CloudFlare as the CDN. Recently it seems that admin users were seeing each other's account when they log in.

I did a quick investigation and suspected that the problem was due to CloudFlare cache. Typically Drupal cache-control headers and CloudFlare cf-cache-status are as follow:

cache-control: must-revalidate, no-cache, private
cf-cache-status: DYNAMIC

CloudFlare does not cache Drupal pages because it of the presence of cookies, whether the user is logged in or not. Thus cf-cache-status is always DYNAMIC which means the page is a dynamic content and not eligible for cache in CloudFlare.

What I noticed was that cf-cache-status was shown as HIT which is odd:

cache-control: must-revalidate, no-cache, private
cf-cache-status: HIT

When I logged into the customer's CloudFlare account, I noticed this new Page Rule:

The customer has create a page rule to cache pages probably because they felt the website was slow. Besides forcing Drupal to cache everything, they also decided that the Edge Cache TTL can be set to a day since their content does not change that often.

Setting CloudFlare to Cache Everything does not mean CloudFlare will really cache everything. It will still not cache dynamic pages such as Drupal pages since the pages contain cookies that are specific to individual users. CloudFlare will only cache assets such as images, fonts and static files like CSS.

However, by activating Edge Cache TTL, CloudFlare will remove cookies from pages. This means the Drupal pages will be cached but without cookies. This is the root of why admin users are seeing each other's account and clearly warned in the CloudFlare documentation. I quickly turned off this rule and the problem was resolved.