tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis van den Berg" <>
Subject Invalid no-cache http headers
Date Wed, 26 Feb 2003 15:29:34 GMT
Hi all,

I encountered problems with the newer Tomcat 4 versions.
There are caching-headers set on the response, in case of URL's with security constraints,
which are not set in older Tomcat 4 versions versions. 

This results in 2 things;
- The user is not able to use the back-button anymore (This page has expired, in IE6 anyway)
- When you send a file as an attachement to the browser the user gets an open/save dialog.
  When the user presses open, the file is first put into the cache and then opened (by IE6
  So this results in an 'file not found' message, because caching is disabled.

In the following method in org.apache.catalina.authenticator.AuthenticatorBase:
    public void invoke(Request request, Response response,
                       ValveContext context)
        throws IOException, ServletException {

I found the following code-fragment:
        // Make sure that constrained resources are not cached by web proxies
        // or browsers as caching can provide a security hole
        if (disableProxyCaching && 
            !(((HttpServletRequest) hrequest.getRequest()).isSecure())) {
            HttpServletResponse sresponse = 
                (HttpServletResponse) response.getResponse();
            sresponse.setHeader("Pragma", "No-cache");
            sresponse.setHeader("Cache-Control", "no-cache");
            sresponse.setDateHeader("Expires", 1);

I think this piece of code is the source of the problem.
When I read the specs for HTTP, I think I can conclude there are more applicable values for
the "Cache-Control" header in this case. For example "private" or "no-store".

Did anyone else encounter any problems of this kind, or did I overlook something?

Thanks for any replies,


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message