Closed Bug 445821 Opened 17 years ago Closed 15 years ago

cache ignores no-cache headers when a page posts back to itself

Categories

(Core :: Networking: Cache, defect)

Product:
Core
Component:
Networking: Cache
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: scottm, Assigned: jduell.mcbugs)

Details

(Whiteboard: [sg:investigate])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 Might be very similar to 41741. I can provide access to our application upon request. Just send me an e-mail. This is a classic ASP application that extensively uses form post back methods to update information on a page. After authenticating (logging in) navigate to any page, click an action that sends a post back to the same page, then log out of the application. Now click the back button. The last page displayed appears without having to authenticate again. Taking any further action on the cached page does redirect us to our login page for re-authentication. All of our pages contain the following response headers: Response.ExpiresAbsolute = Now() - 1 Response.AddHeader "Cache-Control", "max-age = 0, s-maxage = 0, must-revalidate, proxy-revalidate, no-cache, no-store" Response.AddHeader "Pragma", "no-cache" Response.Expires = -1 Let me know if any additional information is needed. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Component: General → Networking: Cache
Product: Firefox → Core
QA Contact: general → networking.cache
> Might be very similar to 41741 Typo in bug number?
Can you put up a simple public site that demonstrates this bug?
Whiteboard: [sg:needinfo]
Jesse, sure. URL: http://www.threerivers-cams.com/studentportal Username is Groves Password is password Once logged in, click on the Course Offering Link, then click one of the page numbers. Click the logout link. Once you reach the logout page, click backspace (or the browser's back button). You will be taken back to the course offering page without having to authenticate. Click any link and you'll be redirected back to the login page.
jduell, can you look at this?
Whiteboard: [sg:needinfo] → [sg:investigate]
Yup. Should at least be able to take a peek at it in the next few days.
Scott, Your test link appears to be broken. When I go to http://www.threerivers-cams.com/studentportal I get "An error occurred on the server when processing the URL. Please contact the system administrator at cesupport@threerivers-cams.com". Please fix so I can test. Thanks.
Assignee: nobody → jduell.mcbugs
Should be back up now, sorry but I can only leave it up for a couple of days. When the login page appears, use Student1 / Student1 (Case Sensitive) in the FA-07 Term. Once the menu appears select the Course Offering link. From the course offering, click any of the additional pages (2 or 3). Then click the logout link. Press the back button.
I've confirmed the behavior, but now I'm wondering exactly what it is that you're doing to authorize and logout the user. Are you using basic auth? What are you doing exactly to logout the user?
We have several types of authentication available (LDAP, Active Directory, and Basic Application Authentication). The site you are accessing is using Basic. When a user logs in successfully we create an in-memory cookie that identifies the user session. Something like: Response.Cookies("OurCookie") = CStr(GUID) When a user logs out, we delete the cookie and abandon the session. Response.Cookies("OurCookie").Expires = Date - 1 Session.Abandon
I just installed 3.0.6 and it appears that this issue has been corrected. I need to do a bit more testing but so far so good.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.