Closed
Bug 374599
Opened 17 years ago
Closed 8 years ago
Non-authenticated cache entries are used after HTTP authentication
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: flavio.tordini, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.8.1.2) Gecko/20060601 Firefox/2.0.0.2 (Ubuntu-edgy) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.8.1.2) Gecko/20060601 Firefox/2.0.0.2 (Ubuntu-edgy) After authenticating to a website using Basic HTTP authentication, Firefox (but I think this applies to any Gecko-based browser) keeps using the responses cached BEFORE the authentication took place. Strictly speaking this is NOT a bug. I searched the HTTP 1.1 spec and HTTP authentication spec (RFC 2617) and couldn't find anything normative about this behavior. Anyway this prevents a website from displaying user-specific information after login, because the browser keeps using the previously cached pages. Opera 9.1 and Konqueror 3.5.6 don't do this, while Internet Explorer and Gecko behave the same way. While this may appear pretty minor, I believe that getting HTTP authentication right will allow more sites to take advantage of this built-in HTTP feature, in place of cookie-based session tracking. Reproducible: Always Steps to Reproduce: 1. GET a page that sets the Expires: x or Cache-Control: max-age=x HTTP headers 2. GET a page that requires authentication by responding with a 401 status code 3. GET the first page again Actual Results: The browser used the cached response from step 1. Expected Results: The browser should have fetched the page again, bypassing the its local cache.
Comment 1•8 years ago
|
||
vary
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•