DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=34083>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34083 Summary: disableProxyCaching behaviour of authenticator causes problems Product: Tomcat 5 Version: 5.5.4 Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] In my opinion this code enabled by default is a little bit too much. First - if it's to protect security it should use just Cache-control: private. That's what "private" is designed for. However this form adds numerous problems for first-time Tomcat users. It is not well documented feature, and is enabled by default. It's incompatible with regular webserver behaviour. It's a bad programming design. It's not authenticator's responsibility to deal with caching. Authenticator should just deal with authentication. Authenticator should be fully transparent to other layers. Results are: * extensive server load - in our case javascript code put on a page caused the page being refreshed in every rollover element resulting in bad user experience, * problems with opening dynamically generated files - for both Mozilla and IE this notion makes problems - the file is already expired when downloaded to the user, which results in problems hard to debug, usually such a file will appear empty in mozilla, and IE will just say it can't open it // Make sure that constrained resources are not cached by web proxies // or browsers as caching can provide a security hole if (disableProxyCaching && // FIXME: Disabled for Mozilla FORM support over SSL // (improper caching issue) //!request.isSecure() && !"POST".equalsIgnoreCase(request.getMethod())) { response.setHeader("Pragma", "No-cache"); response.setHeader("Cache-Control", "no-cache"); response.setHeader("Expires", DATE_ONE); } I would replace this code with just: // or browsers as caching can provide a security hole if (disableProxyCaching && // FIXME: Disabled for Mozilla FORM support over SSL // (improper caching issue) //!request.isSecure() && !"POST".equalsIgnoreCase(request.getMethod())) { response.setHeader("Cache-Control", "private"); } -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
