Re: [squid-users] How to avoid caching of objects with Set-Cookie?

Bjørn Mork <bjorn@mork.no> writes:

> We need to adapt
> to this imperfection by never caching a text object having a
> Set-Cookie or Set-Cookie2 field.
>
> Is this possible?

Well, I guess silence means no. Looking at the code, I think the best
solution would be adding a "no_cache_reply" access list and an acl
rule for matching reply header fields (or maybe header fields in general).
However, lazy as I am, I only did a quick and dirty hack like this:

--- squid-2.6-DEVEL-20021025-orig/configure.in 2002-10-25 02:14:03.000000000 +0200
+++ squid-2.6-DEVEL-20021025/configure.in 2002-10-25 23:49:05.000000000 +0200
@@ -862,6 +862,21 @@
   fi
 ])
 
+dnl Disable caching of responses with Set-Cookie
+AC_ARG_ENABLE(caching-setcookie,
+[ --disable-caching-setcookie
+ Squid will cache responses with Set-Cookie in full
+ compliance with RFC 2965. However, many web sites
+ fail to add an appropriate Cache-Control field when
+ using Set-Cookie, risking the privacy of clients
+ using a shared cache like Squid. This will disable
+ caching of text objects with Set-Cookie],
+[ if test "$enableval" = "no" ; then
+ echo "Disabling caching of Set-Cookie"
+ AC_DEFINE(DONT_CACHE_SETCOOKIE, 1,[Disable caching of objects with Set-Cookie. Enabled by default.])
+ fi
+])
+
 dnl Select Default hosts file location
 AC_ARG_ENABLE(default-hostsfile,
 [ --enable-default-hostsfile=path
--- squid-2.6-DEVEL-20021025-orig/src/http.c 2002-10-04 11:53:35.000000000 +0200
+++ squid-2.6-DEVEL-20021025/src/http.c 2002-10-25 23:55:22.000000000 +0200
@@ -262,6 +262,22 @@
     if ((v = httpHeaderGetStr(hdr, HDR_CONTENT_TYPE)))
         if (!strncasecmp(v, "multipart/x-mixed-replace", 25))
             return 0;
+
+#ifdef DONT_CACHE_SETCOOKIE
+ /*
+ * Many sites use Set-Cookie on private documents without the
+ * appropriate Cache-Control: private directive. This may cause
+ * clients to get other clients personal information from the
+ * cache. To be on the safe side, we just disable caching of any
+ * text object with Set-Cookie.
+ */
+ if (httpHeaderHas(hdr, HDR_SET_COOKIE) && (v = httpHeaderGetStr(hdr, HDR_CONTENT_TYPE)))
+ if (!strncasecmp(v, "text/", 5)) {
+ debug(11, 4) ("httpCachableReply: Uncachable: text object with Set-Cookie\n");
+ return 0;
+ }
+#endif
+
     switch (httpState->entry->mem_obj->reply->sline.status) {
         /* Responses that are cacheable */
     case HTTP_OK:

I am amazed that noone else on this list seem to have run into this
problem. It took us just a few days of testing squid on one of our
proxies before users started complaining about seeing other users'
personal data on some sites.

Bjørn
Received on Mon Oct 28 2002 - 02:11:09 MST