WebApp Sec mailing list archives

Re: How to prevent Internet Explorer from locally caching pages

From: Adrian Caneva <acaneva () nexttech com ar>
Date: 4 Apr 2003 21:44:25 -0000

In-Reply-To: <Pine.LNX.4.44.0304032032030.886-100000@localhost.localdomain>

Thanks for your quick responses! 
After some research I believe I've found an answer.

Usually web applications send 3 basic headers to prevent caching:

Cache-Control : no-cache 
//HTTP 1.1 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1

Pragma : no-cache; 
//HTTP 1.0 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.32 
for proxies

Expires : -1 

Maybe also, some other headers like (cache-control, private).
As Liam correctly pointed out (Expire, -1) header is not mandatory. And 
should be ignored for history retrieving methods if the page is in local 
cache.
But the page should not be in local cache in the first place because 
(cache-control, no-cache) header would prevent any intermediate cache from 
storing it. 
The problem with these statement is that is an HTTP/1.1 header. 
Internet Explorer would evaluate this header only if it comes in an 
HTTP/1.1 response.
If a Proxy server HTTP/1.0 like Squid is between the web application and 
the browser, MSIE would receive this header into an HTTP/1.0 response 
block and will ignore it. 
No matter if the web server at the origin is HTTP/1.1 compliant.
If the proxy is not in the chain, MSIE behaves as expected not caching 
locally the response.
Additionaly, Internet Explorer needs advanced setting "Use HTTP 1.1 
through proxy connections" to place HTTP 1.1 requests behind a proxy.
Microsoft says that for HTTP 1.0 servers (pragma, no cache) header would 
prevent MSIE from storing local copies of the response if it comes from a 
secure site. And this is the simplistic workaround.

Best regards and thanks again,

Adrian Caneva

FWIW, IE's behaviour seems to be in agreement with the HTTP/1.1 
specification:

  By default, an expiration time does not apply to history mechanisms.
  If the entity is still in storage, a history mechanism SHOULD display
  it even if the entity has expired, unless the user has specifically
  configured the agent to refresh expired history documents.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.13

--

Current thread:

How to prevent Internet Explorer from locally caching pages Adrian Caneva (Apr 03)
- Re: How to prevent Internet Explorer from locally caching pages Liam Quinn (Apr 03)
  - Re: How to prevent Internet Explorer from locally caching pages Rory (Apr 03)
- <Possible follow-ups>
- RE: How to prevent Internet Explorer from locally caching pages David Cameron (Apr 03)
- Re: How to prevent Internet Explorer from locally caching pages Adrian Caneva (Apr 04)