Re: Security Problem with caching

From: Henrik Nordstrom <>
Date: Fri, 14 Feb 1997 22:23:39 +0100

Yes, there are some (quite simple) rules for caching:
1. Only GET requests may be cached
2. Authenticated requests is not allowed to be cached
3. Expires: and possibly some headers from HTTP 1.1 says when a object
is stale and needs to be refreshed.

Yes. All known caches adhere this rules (or at least is supposed to).

But to my knowledge, all caches breake one of the guidelines for
caching... a request should only be considered to be identical if all
headers in the request is the same (with some exceptions). Reason:
Content Negotiation based on Accepts: and/or User-Agent. Most caches
only check the URL part of the request (and if the request and response
is cacheable).

Henrik Nordstrom
Kai Bartels wrote:
> The other way around: is there a method in HTTP (I must admit I'm not
> familiar with the protocol) for the web-server to declare that an
> object should not be cached?
> And do caches adhere to that command if it exitst?
> > Peter Woo
> greetings, Kai
> --
> Kai Bartels   *   R&D   *   *   +49 511 28393-50
> picture/safe MEDIA/DATA/BANK GmbH   *  Seelhorststr. 44  *  D-30175 Hannover
> Phone: +49 511 28393-0 * Fax: +49 511 28393-10 * eMail:
Received on Fri Feb 14 1997 - 13:50:05 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:27 MST