httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yves Lafon <>
Subject Re: mod_proxy: HTTP/1.1 support
Date Tue, 07 Mar 2000 09:49:15 GMT
On Tue, 7 Mar 2000, Graham Leggett wrote:

> Hi all,
> I am busy finishing off HTTP/1.1 support for mod_proxy, but need a bit
> of clarification on how caching password protected data works.

Well, it depends if the cache if used in a shared environment (the default
behaviour), or if it used only as a personal cache. In that case, you can
store such replies (unless other ehaders prevent you to do so).

> So far, my understanding goes like this for our application (mod_proxy):
> - Cache-Control: no-cache, no-store, private all have the same meaning -
> don't store a cached reponse, always get the file from the origin
> server.

no-cache in the Cache-Control of the reply means that you can't use the
cached reply for the next request without revalidation. A request no-cache
will avoid using the cache (but there is no restriction about the cache
storing the result, unless other controls are there).

> - Cache-Control: public means that we must ignore the fact that the
> object is password protected using Authorization:, we can cache it, and
> we can give the object to anyone who asks for it, as long as it is
> fresh. We do not have to check with the origin server at all, as long as
> it's fresh.

But there is also Cache-Control: s-maxage=XXX, the reply may be served,
but you MUST revalidate to be sure that the user is authorized to get this
page if the current age is > XXX

> Am I making the correct assumptions? I want to make sure that I am doing
> the right thing before I submit a patch, as this is obviously a security
> issue.



View raw message