As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 533412 - Cache look-up should consider authenticated user names
: Cache look-up should consider authenticated user names
Product: Core
Classification: Components
Component: Networking: HTTP (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Patrick McManus [:mcmanus]
Depends on:
Blocks: 532127
  Show dependency treegraph
Reported: 2009-12-08 00:45 PST by Yutaka OIWA
Modified: 2016-02-04 11:36 PST (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Yutaka OIWA 2009-12-08 00:45:30 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091102 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091102 Firefox/3.5.5

Mozilla do not distinguish pages with same URL but authenticated by different credentials.  If the user visits the same page twice with different credentials, the cached page for the first user will be served for the second user.
The URL demonstrates the behavior.
To fix this, the cache should consider the user-names of the authentications as one of keys for cache look-up (as if it were specified in a header referenced by a Vary: header.)

The HTTP/1.1 spec (RFC 2616) only considers the situation where every authentication session is valid while the browser is not terminated.
This is no more true with the current Firefox implementation.
The current implementation of the browser is
something between the "public" and "private" caches defined in RFC 2616.

This bug covers previously submitted bug 374599 (in Fx 2.0), which was not severe in the previous situation (because there was no situations for TWO usernames in the same browser session).

Reproducible: Always

Steps to Reproduce:
Visit the pages shown in the URL field.
The pages returns "Last-modified:" headers for both 401 and 200 pages.
Actual Results:  
Cached unauthenticated pages will be shown for authenticated users, and cached pages for the user A will be shown for user B.

Expected Results:  
Cache entries should not be used when the usernames in the new request differ from that of a cached requests.

Confirmed on both Mozilla Firefox 3.5.5 and 3.0.15.
Comment 1 User image Jo Hermans 2009-12-08 01:21:22 PST
That's a situation where the "Cache-Control: private" header should have been used ...
Comment 2 User image Yutaka OIWA 2009-12-08 23:38:37 PST
(In reply to comment #1)
> That's a situation where the "Cache-Control: private" header should have been
> used ...

this demo only returns a "Last-modified:" header and no Cache-Control, and
RFC 2616 says that shared caches (for which "Cache-Control: private" applies,
Sec. 14.9.1) should not cache responses to any requests which have "Authorization:" header (Sec. 14.8), unless it is explicitly
allowed by "Cache-control: public" and "Cache-control: s-maxage=...".

RFC also says that 401 responses should not be cached unless it has an explicit cache controlling header (Sec. 13.4).
Comment 3 User image Patrick McManus [:mcmanus] 2016-02-04 11:36:00 PST
this is what vary is for

Note You need to log in before you can comment on or make changes to this bug.