Bill Barker wrote:
At the moment (with the default settings), Tomcat 4.1.x and higher add HTTP headers to non-SSL protected pages to prevent intermediate proxies from caching them. According to the HTTP/1.1 RFC (and even the HTTP/1.0 RFC), POSTed pages are not allowed to be cached by proxies (for the obvious reasons). I'd like to add request.getMethod().equals("POST") to the list of conditions to *not* add the headers.
Not sure I understand :-)
The RFC requires that proxies don't cache POST requests. Are you saying we should *not* include the headers, because proxies will not cache anyway ?
Or to add the headers ? And what does it has to do with SSL ?
(as an interested observer who has been fighting caching problems both with and without SSL for the last couple of days...)
Currently tomcat sets no-cache headers (Pragma: no-cache, Cache-Control: no-cache, and an Expires header) IF:
The resource is protected (requires authentication)
AND The resource is NOT accessed via SSL (since intermediaries won't ache things that are using SSL, I think). This is also neccesary to get internet explorer to behave sanely when serving files that it needs to open in an external program.
There's also a flag that disables this behaviour entirely.
As you correctly interpreted, Bill's suggestion is that these headers should _not_ be added for POST requests, because intermediaries will not cache these anyway. Disallowing caching has a tendency to cause undesirable behaviour on the client end (at least with IE, which many of us have to support), so my guess is that that is why Bill doesn't want these headers added in this case.
Mike Smith
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
