Fellow Jetspeed Users, I'd like to share a few points regarding HTTP headers which I discovered while working on a cache issue in Jetspeed. When browsing the portal, the browser may prompt the user to refresh the page when the Back button is pressed. By default, the portal is configured with the header values Cache-Control = "no-cache" and Pragma = "no-cache" (see http.lifetime=0 in JetspeedResources.props). Since the browser cache is turned off, the browser prompts for a refresh to retrieve data that is necessary to render the previous page.
As a first attempt at a solution, I turned Cache-Control on with an http.lifetime value greater than zero so the browser will cache for that period. This appeared to solve the problem since the browser did not prompt for a refresh when pressing the Back button. However, a more serious problem occurred. Since the cache was turned on, the browser rendered pages from the cache that were stored from a prior user's session. This means that caching may allow a user to see another user's portlets. Opening a new browser did not solve this problem. To solve the caching problem and not create a more serious security problem, do the following: Set Expires in the HTTP Response to 0. Do not set any other Cache headers such as Cache-Control or Pragma. With Expires set to 0, the browser retrieves the page from the server when Refresh is pressed. This may slow the portal a little, but it is necessary to prevent the browser from serving cached pages from another user's session. For a detailed discussion on cache headers refer to rfc2616 at http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html. I made the following specific changes to solve the caching issue: 1) Extended JetspeedVelocityPage as NovusJetspeedVelocityPage. This new class extends the doBuildAfterAction() method to set Expires=0 when http.lifetime=-1 in JetspeedResources.props. 2) Changed http.lifetime=-1 in JetspeedResources.props. 3) Replaced services.VelocityService.default.page = JetspeedVelocityPage with services.VelocityService.default.page = NovusJetspeedVelocityPage in TR.props. Hope this helps! Tom Keeney Novus Consulting Group -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
