Introduction

A Cache Everything rule can improve performance fast, but if it touches logged-in pages it can expose private or personalized content to the wrong visitors. The symptoms are often subtle at first: users see another person's dashboard, carts behave strangely, or admins think the site is haunted because changes appear in the wrong session. The real fix is to separate public cacheable pages from authenticated traffic instead of treating all HTML as identical.

Symptoms

  • Logged-in users see stale or incorrect dashboard, cart, or account pages
  • Anonymous visitors receive content that should only appear after login
  • Admin changes do not appear consistently, or seem visible in another session
  • The issue started after enabling Cache Everything, APO, or broad HTML caching
  • Problems affect account, checkout, membership, or admin pages more than public pages

Common Causes

  • Cloudflare caches HTML responses that vary by login state or user session
  • Cache bypass rules do not account for authentication or cart cookies
  • Origin responses for dynamic pages lack the headers needed to prevent shared caching
  • URL-based cache rules are too broad and include account or admin paths
  • Another plugin or platform layer assumes the CDN will respect user-specific cookies automatically

Step-by-Step Fix

  1. Confirm whether the wrong content is coming from Cloudflare cache or from the application itself.
  2. Review Cache Everything rules, APO settings, and page rules that apply to HTML responses on the affected host.
  3. Identify the cookies, paths, or user states that distinguish public pages from personalized or authenticated content.
  4. Add narrow bypass conditions for logged-in, cart, checkout, account, and admin traffic instead of weakening caching site-wide.
  5. Verify origin headers on dynamic responses communicate that those pages should not be reused across users.
  6. Purge any cached authenticated pages only after the bypass rules are in place so the problem does not immediately recur.
  7. Test as anonymous, logged-in, and privileged users in separate clean sessions to confirm cache isolation now works.
  8. Review related flows such as checkout, memberships, and admin editing because they often rely on more than one cookie.
  9. Keep public HTML caching rules explicit and narrow so future performance tuning does not leak private content.