On Tue, 23 Apr 2002 11:52:26 +0100, Richard Barrett

>Unless someone can refute this scenario (please, please do) then it appears 
>to me that Cache-Control headers need to be added to all responses 
>conditional on authentication by Zope using cookie authentication.

I believe you are correct. Cache-Control:private is needed on pages
accessed under cookie authentication, and probably
Cache-Control:no-cache on the page that sets the cookie.

>Maybe Zope should just add a Cache-Control header with a value of private, 
>no-cache or no-store to all responses that its security sub-system 
>determines are to other than the Anonymous user. It would do no harm if 
>Basic Authentication were being used and would plug the security hole I 
>have posited if cookie authentication were in use.

Yes, but it must allow the published method to set its own headers

I once had a patch that did the opposite of that: It set
Cache-Control:public on all responses that were accessed by an
authenticated user, if it determined that an unauthenticated user
could have accessed them too.

>I'd propose a patch myself but I am not that confident in hacking around 
>Zope's security management code.

Put it in the Collector.

Toby Dickenson

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to