tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Smith <>
Subject Re: [PROPOSAL] Add Post to the clear list for protected pages
Date Thu, 17 Jul 2003 03:47:46 GMT
Costin Manolache wrote:
> Bill Barker wrote:
>>At the moment (with the default settings), Tomcat 4.1.x and higher add
>>HTTP headers to non-SSL protected pages to prevent intermediate proxies
>>caching them.  According to the HTTP/1.1 RFC (and even the HTTP/1.0 RFC),
>>POSTed pages are not allowed to be cached by proxies (for the obvious
>>reasons).  I'd like to add request.getMethod().equals("POST") to the list
>>of conditions to *not* add the headers.
> Not sure I understand :-)
> The RFC requires that proxies don't cache POST requests. Are you saying 
> we should *not* include the headers, because proxies will not cache anyway ?
> Or to add the headers ? And what does it has to do with SSL ?

(as an interested observer who has been fighting caching problems both 
with and without SSL for the last couple of days...)

Currently tomcat sets no-cache headers (Pragma: no-cache, Cache-Control: 
  no-cache, and an Expires header) IF:
         The resource is protected (requires authentication)
     AND The resource is NOT accessed via SSL (since intermediaries 
won't ache things that are using SSL, I think). This is also neccesary 
to get internet explorer to behave sanely when serving files that it 
needs to open in an external program.

There's also a flag that disables this behaviour entirely.

As you correctly interpreted, Bill's suggestion is that these headers 
should _not_ be added for POST requests, because intermediaries will not 
cache these anyway. Disallowing caching has a tendency to cause 
undesirable behaviour on the client end (at least with IE, which many of 
us have to support), so my guess is that that is why Bill doesn't want 
these headers added in this case.

Mike Smith

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message