HTTP/1.0 Pragma: no-cache ignored when javascript:back() or "Back"

VERIFIED INVALID

Status

()

Core
Networking: Cache
VERIFIED INVALID
16 years ago
13 years ago

People

(Reporter: Shoji Matsumoto, Assigned: gordon)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

16 years ago
on Linux trunk 2002-10-22-04

HTTP/1.0
Pragma: no-cache

is ignored when use "Back" button or "javascript:back()".
When use href, the page is reloaded.

tested on Tomcat-3.2.4 with jsps below.
----------------------------------------------------- expire.jsp
<% response.setDateHeader("Date", System.currentTimeMillis()); %><%
%><% response.setDateHeader("Expires", 0); %><%
%><% response.setHeader("Pragma", "no-cache"); %><%
%><% response.setHeader("Cache-Control", "no-cache"); %><%
%><%@page contentType="text/html" %><%@page import="java.util.*" %>
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="Thu, 01 Jan 1970 00:00:00 GMT">
<meta http-equiv="Cache-Control" content="no-cache">
</head>
<body>
<%= new Date() %><br>
<form action="expire2.jsp"><input type=submit></form>
</body>
</html>
-----------------------------------------------------
----------------------------------------------------- expire2.jsp
<html>
<body>
OK
<a href="expire.jsp">back</a>
<a href="javascript:back()">back2</a>
</body>
</html>
-----------------------------------------------------
no-cache does not apply to session history navigation; the RFC is very explicit
about that.

If your content is sensitive and you want to prevent malicious attackers from
using "back" to get to it, use "no-store"...
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID

Comment 2

16 years ago
verified INVALID
Status: RESOLVED → VERIFIED

Comment 3

13 years ago
*** Bug 302707 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.