Closed Bug 176014 Opened 22 years ago Closed 22 years ago

HTTP/1.0 Pragma: no-cache ignored when javascript:back() or "Back"

Categories

(Core :: Networking: Cache, defect)

Product:
Core
Component:
Networking: Cache
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: shom, Assigned: gordon)

References

Details

on Linux trunk 2002-10-22-04

HTTP/1.0
Pragma: no-cache

is ignored when use "Back" button or "javascript:back()".
When use href, the page is reloaded.

tested on Tomcat-3.2.4 with jsps below.
----------------------------------------------------- expire.jsp
<% response.setDateHeader("Date", System.currentTimeMillis()); %><%
%><% response.setDateHeader("Expires", 0); %><%
%><% response.setHeader("Pragma", "no-cache"); %><%
%><% response.setHeader("Cache-Control", "no-cache"); %><%
%><%@page contentType="text/html" %><%@page import="java.util.*" %>
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="Thu, 01 Jan 1970 00:00:00 GMT">
<meta http-equiv="Cache-Control" content="no-cache">
</head>
<body>
<%= new Date() %><br>
<form action="expire2.jsp"><input type=submit></form>
</body>
</html>
-----------------------------------------------------
----------------------------------------------------- expire2.jsp
<html>
<body>
OK
<a href="expire.jsp">back</a>
<a href="javascript:back()">back2</a>
</body>
</html>
-----------------------------------------------------
no-cache does not apply to session history navigation; the RFC is very explicit
about that.

If your content is sensitive and you want to prevent malicious attackers from
using "back" to get to it, use "no-store"...
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
verified INVALID
Status: RESOLVED → VERIFIED
*** Bug 302707 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.