Hallöchen! We've programmed a Django app with mandatory login. Under somewhat obscure circumstances, the browser (Firefox and Chrome) sends spurious If-Modified-Since header fields and may take the page of another user from the browser cache. It is like this:
1. User A logs in. 2. User A retrieves ressource (=URL) X. 3. User A logs out. 4. User B logs in in the same browser window. 5. User B retrieved ressource X. 6. User B sees the *same* page as user A! It was taken from the browser's cache. (6) is disastrous because it may even be that B was not allowed to see X in the first place. As far as I can see, "Vary: Cookie" is properly set. We added an "@last_modified" decorator to "/X" that always returns "2001/01/01 00:00". We sniffed the HTTP headers with the "Live HTTP headers" of Firefox: --8<---------------cut here---------------start------------->8--- http://127.0.0.1:8000/X GET /X HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.1.9) Gecko/20100402 Ubuntu/9.10 (karmic) Firefox/3.5.9 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://127.0.0.1:8000/ Cookie: csrftoken=ee7e82e6131a46aef229221e1e351987; sessionid=8c61c7f10b17435bd7b044222f1e9eb7 If-Modified-Since: Mon, 01 Jan 2001 00:00:00 GMT Cache-Control: max-age=0 HTTP/1.0 304 NOT MODIFIED Date: Wed, 21 Jul 2010 19:02:52 GMT Server: WSGIServer/0.1 Python/2.6.4 Last-Modified: Mon, 01 Jan 2001 00:00:00 GMT Content-Length: 0 Content-Type: text/html; charset=utf-8 Content-Language: de Vary: Accept-Language, Cookie ---------------------------------------------------------- [logout] ---------------------------------------------------------- http://127.0.0.1:8000/login POST /login HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.1.9) Gecko/20100402 Ubuntu/9.10 (karmic) Firefox/3.5.9 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://127.0.0.1:8000/login Cookie: csrftoken=ee7e82e6131a46aef229221e1e351987; sessionid=6c784d57f4b6f31e8b9a870afb1dec33 Content-Type: application/x-www-form-urlencoded Content-Length: 90 username=b.bunny&password=12345&next=&csrfmiddlewaretoken=ee7e82e6131a46aef229221e1e351987 HTTP/1.0 302 FOUND Date: Wed, 21 Jul 2010 19:03:20 GMT Server: WSGIServer/0.1 Python/2.6.4 Content-Language: de Expires: Wed, 21 Jul 2010 19:03:20 GMT Vary: Accept-Language, Cookie Last-Modified: Wed, 21 Jul 2010 19:03:20 GMT Etag: "d41d8cd98f00b204e9800998ecf8427e" Location: http://127.0.0.1:8000/ Cache-Control: max-age=0 Content-Type: text/html; charset=utf-8 Set-Cookie: sessionid=da1117b2a19755a53fbfc644d3a0e77a; expires=Wed, 04-Aug-2010 19:03:20 GMT; Max-Age=1209600; Path=/ ---------------------------------------------------------- http://127.0.0.1:8000/X GET /X HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.1.9) Gecko/20100402 Ubuntu/9.10 (karmic) Firefox/3.5.9 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://127.0.0.1:8000/ Cookie: csrftoken=ee7e82e6131a46aef229221e1e351987; sessionid=da1117b2a19755a53fbfc644d3a0e77a If-Modified-Since: Mon, 01 Jan 2001 00:00:00 GMT (*****) HTTP/1.0 304 NOT MODIFIED Date: Wed, 21 Jul 2010 19:03:26 GMT Server: WSGIServer/0.1 Python/2.6.4 Last-Modified: Mon, 01 Jan 2001 00:00:00 GMT Content-Length: 0 Content-Type: text/html; charset=utf-8 Content-Language: de Vary: Accept-Language, Cookie --8<---------------cut here---------------end--------------->8--- That last If-Modified-Since causes my headaches. The server responds -- correctly -- with 304, and the browser takes the other user's page from the cache. The big question is: Why does the browser send the If-Modified-Since in (*****). And the even bigger question is: How can be prevent it? Tschö, Torsten. -- Torsten Bronger, aquisgrana, europa vetus Jabber ID: torsten.bron...@jabber.rwth-aachen.de or http://bronger-jmp.appspot.com -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
