Ok, you are right, I only considered the case without authentication. With authentication shared caching must not happen. And its all about shared caches only. So I agree now we should send Cache-Control: private with GET request too. Stefan
Unico Hommes wrote:
But that would be a security risk no? I mean if user A has privileges to read a certain resource and user B has not. The client implementation may still decide to show user B the resource that is in the cache on the basis that it is not private to user A. Am I wrong?
-- Unico
Stefan L�tzkendorf wrote:
For GET requests it should not be send by default. They should be cachable, I think, because it is the standard http GET.
I would prefer a configurable way. May be a Filter to be configured in the web.xml.
Stefan
Unico Hommes wrote:
James Mason wrote:
http://issues.apache.org/bugzilla/show_bug.cgi?id=23497
It's about a year old. The patch looks innocous, from the rfc:
"private Indicates that all or part of the response message is intended
for a single user and MUST NOT be cached by a shared cache."
Looks like a directive we ought to send not only with GET/HEAD but with other read requests as well (PROPFIND/REPORT/SEARCH/etc). Except perhaps when authentication is turned off or all users operate under the same principal. Although I don't think our implementation has to differentiate between these situations.
-- Unico
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Stefan L�tzkendorf -- [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
