Closed Bug 176014 Opened 22 years ago Closed 22 years ago

HTTP/1.0 Pragma: no-cache ignored when javascript:back() or "Back"

Categories

(Core :: Networking: Cache, defect)

x86
Linux
defect
Not set
normal

Tracking

()

VERIFIED INVALID

People

(Reporter: shom, Assigned: gordon)

References

Details

on Linux trunk 2002-10-22-04 HTTP/1.0 Pragma: no-cache is ignored when use "Back" button or "javascript:back()". When use href, the page is reloaded. tested on Tomcat-3.2.4 with jsps below. ----------------------------------------------------- expire.jsp <% response.setDateHeader("Date", System.currentTimeMillis()); %><% %><% response.setDateHeader("Expires", 0); %><% %><% response.setHeader("Pragma", "no-cache"); %><% %><% response.setHeader("Cache-Control", "no-cache"); %><% %><%@page contentType="text/html" %><%@page import="java.util.*" %> <html> <head> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="Thu, 01 Jan 1970 00:00:00 GMT"> <meta http-equiv="Cache-Control" content="no-cache"> </head> <body> <%= new Date() %><br> <form action="expire2.jsp"><input type=submit></form> </body> </html> ----------------------------------------------------- ----------------------------------------------------- expire2.jsp <html> <body> OK <a href="expire.jsp">back</a> <a href="javascript:back()">back2</a> </body> </html> -----------------------------------------------------
no-cache does not apply to session history navigation; the RFC is very explicit about that. If your content is sensitive and you want to prevent malicious attackers from using "back" to get to it, use "no-store"...
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
verified INVALID
Status: RESOLVED → VERIFIED
*** Bug 302707 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.