Opened 10 years ago

Closed 10 years ago

Last modified 7 years ago

#10225 closed Uncategorized (invalid)

Cache middleware does not honor "Cache-Control: no-cache" in request headers

Reported by: erny Owned by: nobody
Component: Core (Cache system) Version: 1.0
Severity: Normal Keywords:
Cc: hv@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


How to test:

  1. Create or add to
    import datetime
    from django.http import HttpResponse
    from django.views.decorators.cache import cache_page
    @cache_page(2 * 60)
    def cache_test(request):
        now ='%Y-%m-%d %H:%M:%S')
        txt = u"Fecha/Hora %s" % now
        return HttpResponse(txt, 'text/plain')
  1. Create or add to
    from django.conf.urls.defaults import patterns
    urlpatterns = patterns(
        (r'^cache_test$', 'views.cache_test'),
  1. Include in your backend (I use memcache):
    CACHE_BACKEND = 'memcached://localhost:11211/
  1. Run development server: ./ runserver
  1. Open Firefox and get URL: http://localhost/cache_test. The current date/time should appear.
  1. Press Ctrl-F5 in the browser to force reload. The same text as in step 5. appears, instead of the current date/time.

Change History (5)

comment:1 Changed 10 years ago by Julian Bez

Triage Stage: UnreviewedAccepted

I can confirm that. Sending "no-cache" does not give you a fresh page which means it is not following specification:

"The request includes a "no-cache" cache-control directive or, for compatibility with HTTP/1.0 clients, "Pragma: no-cache". Field names MUST NOT be included with the no-cache directive in a request. The server MUST NOT use a cached copy when responding to such a request."

comment:2 Changed 10 years ago by anonymous

Regardless of what the rfc says you generally don't want users hitting ctrl+f5 bring your frontpage down.

comment:3 Changed 10 years ago by John Moylan

Resolution: invalid
Status: newclosed

I think this ticket confuses HTTP caching with application caching. The no-cache directive sets HTTP headers that are used to validate content on a HTTP proxy cache or web browser cache. The documentation also makes a clear distinction between these types of caching.

This ticket should be marked as invalid.

comment:4 Changed 7 years ago by Thomas Güttler

Cc: hv@… added
Easy pickings: unset
Severity: Normal
Type: Uncategorized
UI/UX: unset

comment:5 Changed 7 years ago by Thomas Güttler

A normal reload (F5 or ctrl-r) does not set the request header "Pragma: no-cache". Only shift-ctrl-r or ctrl-f5 sets it. The current implementation (ignoring pragma no-cache) does not help you, if someone wants to bring your site down. I think this is a valid ticket and pragma no-cache should not be ignored.

BTW, if you are a developer and want to force a reload, you can add a query-string: http://..../foo/?x

If you are afraid of denial of service attacks, an attacker could send you a different query-string in every request!

Last edited 7 years ago by Thomas Güttler (previous) (diff)
Note: See TracTickets for help on using tickets.
Back to Top