----- Original Message -----
From: "Costin Manolache" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 16, 2003 8:38 PM
Subject: Re: [PROPOSAL] Add Post to the clear list for protected pages
> Bill Barker wrote:
>
> > At the moment (with the default settings), Tomcat 4.1.x and higher add
> > HTTP headers to non-SSL protected pages to prevent intermediate proxies
> > from
> > caching them. According to the HTTP/1.1 RFC (and even the HTTP/1.0
RFC),
> > POSTed pages are not allowed to be cached by proxies (for the obvious
> > reasons). I'd like to add request.getMethod().equals("POST") to the
list
> > of conditions to *not* add the headers.
>
> Not sure I understand :-)
>
> The RFC requires that proxies don't cache POST requests. Are you saying
> we should *not* include the headers, because proxies will not cache anyway
?
> Or to add the headers ? And what does it has to do with SSL ?
>
I'm saying to *not* include the headers, because any compliant proxy will
not cache anyway. At the moment, SSL connections do not set the headers
(since they also can't be cached), and that is the only current exception.
At the moment, hitting the "back" button in the browser to a protected
POSTed page forces you to re-post to view the page. This is generally
a-bad-thing, since it results in you getting two copies of Madonna's CD (and
charged twice ;-).
> ( I'm +0 any way )
>
> Costin
>
>
>
> > I'm happy if I can do this in 5.x, and ecstatic if I can back-port it to
> > 4.1.x (since it almost removes my need to configure the Authenticator).
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
