Re: Cache-control and Authentication

Scott Lawrence (lawrence@agranat.com)
Tue, 01 Sep 1998 15:11:42 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Leach: "RE: authentication-02: threat of snooped password"
Previous message: Nottingham, Mark: "Cache-control and Authentication"
Maybe in reply to: Nottingham, Mark: "Cache-control and Authentication"

Nottingham, Mark (Australia) wrote:

> Let's say a server has content that clients access through a 1.1-capable
> cache (this is internal, so it can be controlled). There is a section of
> the content that requires basic authentication, but the content does not
> change based upon that authentication; any user-specific changes
> controlled by the path, query and parameters.
> 
> What is the correct way to allow caches to keep, and satisfy requests
> from, a local copy, while still forcing the request to be revalidated

I believe that the correct way to do this is:

Cache-Control: must-revalidate

In addition to being controlled, I would also make it checked - look for a
1.0 revision in the Via header (so that you know whether or not you've got a
1.1 client or downstream proxy), and add 'Pragma: no-cache' header to
prevent 1.0 caches from holding it just in case.

-- 
Scott Lawrence           Consulting Engineer      <lawrence@agranat.com>
Agranat Systems, Inc.  Embedded Web Technology   http://www.agranat.com/

Next message: Paul Leach: "RE: authentication-02: threat of snooped password"
Previous message: Nottingham, Mark: "Cache-control and Authentication"
Maybe in reply to: Nottingham, Mark: "Cache-control and Authentication"