Closed Bug 374599 Opened 17 years ago Closed 8 years ago

Non-authenticated cache entries are used after HTTP authentication

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: flavio.tordini, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.8.1.2) Gecko/20060601 Firefox/2.0.0.2 (Ubuntu-edgy)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.8.1.2) Gecko/20060601 Firefox/2.0.0.2 (Ubuntu-edgy)

After authenticating to a website using Basic HTTP authentication, Firefox (but I think this applies to any Gecko-based browser) keeps using the responses cached BEFORE the authentication took place.

Strictly speaking this is NOT a bug. I searched the HTTP 1.1 spec and HTTP authentication spec (RFC 2617) and couldn't find anything normative about this behavior. Anyway this prevents a website from displaying user-specific information after login, because the browser keeps using the previously cached pages.

Opera 9.1 and Konqueror 3.5.6 don't do this, while Internet Explorer and Gecko behave the same way.

While this may appear pretty minor, I believe that getting HTTP authentication right will allow more sites to take advantage of this built-in HTTP feature, in place of cookie-based session tracking.

Reproducible: Always

Steps to Reproduce:
1. GET a page that sets the Expires: x or Cache-Control: max-age=x HTTP headers
2. GET a page that requires authentication by responding with a 401 status code
3. GET the first page again
Actual Results:  
The browser used the cached response from step 1.

Expected Results:  
The browser should have fetched the page again, bypassing the its local cache.
vary
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.