WebApp Sec mailing list archives
Re: How to prevent Internet Explorer from locally caching pages
From: Adrian Caneva <acaneva () nexttech com ar>
Date: 4 Apr 2003 21:44:25 -0000
In-Reply-To: <Pine.LNX.4.44.0304032032030.886-100000@localhost.localdomain> Thanks for your quick responses! After some research I believe I've found an answer. Usually web applications send 3 basic headers to prevent caching: Cache-Control : no-cache //HTTP 1.1 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1 Pragma : no-cache; //HTTP 1.0 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.32 for proxies Expires : -1 Maybe also, some other headers like (cache-control, private). As Liam correctly pointed out (Expire, -1) header is not mandatory. And should be ignored for history retrieving methods if the page is in local cache. But the page should not be in local cache in the first place because (cache-control, no-cache) header would prevent any intermediate cache from storing it. The problem with these statement is that is an HTTP/1.1 header. Internet Explorer would evaluate this header only if it comes in an HTTP/1.1 response. If a Proxy server HTTP/1.0 like Squid is between the web application and the browser, MSIE would receive this header into an HTTP/1.0 response block and will ignore it. No matter if the web server at the origin is HTTP/1.1 compliant. If the proxy is not in the chain, MSIE behaves as expected not caching locally the response. Additionaly, Internet Explorer needs advanced setting "Use HTTP 1.1 through proxy connections" to place HTTP 1.1 requests behind a proxy. Microsoft says that for HTTP 1.0 servers (pragma, no cache) header would prevent MSIE from storing local copies of the response if it comes from a secure site. And this is the simplistic workaround. Best regards and thanks again, Adrian Caneva
FWIW, IE's behaviour seems to be in agreement with the HTTP/1.1 specification: By default, an expiration time does not apply to history mechanisms. If the entity is still in storage, a history mechanism SHOULD display it even if the entity has expired, unless the user has specifically configured the agent to refresh expired history documents. http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.13 --
Current thread:
- How to prevent Internet Explorer from locally caching pages Adrian Caneva (Apr 03)
- Re: How to prevent Internet Explorer from locally caching pages Liam Quinn (Apr 03)
- <Possible follow-ups>
- RE: How to prevent Internet Explorer from locally caching pages David Cameron (Apr 03)
- Re: How to prevent Internet Explorer from locally caching pages Adrian Caneva (Apr 04)