Ryan Bloom wrote: > > 1) If I have a page that I have served and it gets put in the cache, > then it will be served out of the quick_handler phase. However, if I > then add or modify a .htaccess file to deny access to that page, > then my changes won't be honored until the page expires from the > cache. This is a security hole, because I don't know of anyway to > invalidate cached pages. (This one if from a conversation with > wrowe). [ I guess it might be possible to clear the cache with a > graceful restart. ]
How does this differ from the document being cached anywhere else? Such as in squid, or a proxy, or the client's cache? Depending upon the cache-control fields in the original response header, the cache engine may not even do a conditional GET. (Not trying to be obstreperous; asking a serious question.) > 2) If I have a page that uses access checking to ensure that only > certain people can request the page, the cache_filter will put it > in the quick handler. I thought the caching modules didn't cache anything that required either access or auth/authz checking. FirstBill? > 3) It isn't possible for a module author to circumvent the > quick_handler phase. If I write a module that doesn't want to > allow the quick_handler phase, for security reasons, I can't > enforce it. How can a module author disallow *any* phase? That's a core function, not up to modules to decide.. -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "Millennium hand and shrimp!"
