> > Tomcat never sets "Cache-Control: no-store" and I can't find anywhere > where Tomcat sets an empty expire header either. >
Looking through the code, I saw AuthenticatorBase set the Expires header if using security constraints and not disabledProxyCaching if it's not a POST request. We use <security-constraint> to force ours users into https and if i remove the security constraint then invalid Expires header is not present and things work on safari. I also tested adding the following to the context.xml and verified this also works (e.g. this does NOT produce an empty Expire header) <Valve className="org.apache.catalina.authenticator.SSLAuthenticator" disableProxyCaching="false"/> It looks like the date string should be created fine by ConcurrentDateFormat, i wonder if there is some sort of bug in the setting of the header value itself? I saw this both on 8.5.0.39 and 9.0.14
