You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Dennis van den Berg <De...@triodos.nl> on 2003/02/28 09:13:45 UTC

Invalid no-cache http headers

Since I already posted this to the user-mailing-list but did not get any usefull replies.
And because I think this is actually a development question.

Hi all,

I encountered problems with the newer Tomcat 4 versions.
There are caching-headers set on the response, in case of URL's with security constraints, which are not set in older Tomcat 4 versions versions. 

This results in 2 things;
- The user is not able to use the back-button anymore (This page has expired, in IE6 anyway)
- When you send a file as an attachement to the browser the user gets an open/save dialog.
  When the user presses open, the file is first put into the cache and then opened (by IE6 anyway)
  So this results in an 'file not found' message, because caching is disabled.

In the following method in org.apache.catalina.authenticator.AuthenticatorBase:
    public void invoke(Request request, Response response,
                       ValveContext context)
        throws IOException, ServletException {

I found the following code-fragment:
        // Make sure that constrained resources are not cached by web proxies
        // or browsers as caching can provide a security hole
        if (disableProxyCaching && 
            !(((HttpServletRequest) hrequest.getRequest()).isSecure())) {
            HttpServletResponse sresponse = 
                (HttpServletResponse) response.getResponse();
            sresponse.setHeader("Pragma", "No-cache");
            sresponse.setHeader("Cache-Control", "no-cache");
            sresponse.setDateHeader("Expires", 1);
        }

I think this piece of code is the source of the problem.
When I read the specs for HTTP, I think I can conclude there are more applicable values for the "Cache-Control" header in this case. For example "private" or "no-store".

Did anyone else encounter any problems of this kind, or did I overlook something?

Thanks for any replies,

Dennis


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org