#10225 closed Uncategorized (invalid)
Cache middleware does not honor "Cache-Control: no-cache" in request headers
| Reported by: | erny | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Cache system) | Version: | 1.0 |
| Severity: | Normal | Keywords: | |
| Cc: | hv@… | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
How to test:
- Create or add to views.py:
import datetime from django.http import HttpResponse from django.views.decorators.cache import cache_page @cache_page(2 * 60) def cache_test(request): now = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S') txt = u"Fecha/Hora %s" % now return HttpResponse(txt, 'text/plain')
- Create or add to urls.py:
from django.conf.urls.defaults import patterns urlpatterns = patterns( '', (r'^cache_test$', 'views.cache_test'), )
- Include in
settings.pyyour backend (I use memcache):CACHE_BACKEND = 'memcached://localhost:11211/
- Run development server:
./manage.py runserver
- Open Firefox and get URL:
http://localhost/cache_test. The current date/time should appear.
- Press Ctrl-F5 in the browser to force reload. The same text as in step 5. appears, instead of the current date/time.
Change History (5)
comment:1 by , 16 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 16 years ago
Regardless of what the rfc says you generally don't want users hitting ctrl+f5 bring your frontpage down.
comment:3 by , 16 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
I think this ticket confuses HTTP caching with application caching. The no-cache directive sets HTTP headers that are used to validate content on a HTTP proxy cache or web browser cache. The documentation also makes a clear distinction between these types of caching.
This ticket should be marked as invalid.
comment:4 by , 13 years ago
| Cc: | added |
|---|---|
| Easy pickings: | unset |
| Severity: | → Normal |
| Type: | → Uncategorized |
| UI/UX: | unset |
comment:5 by , 13 years ago
A normal reload (F5 or ctrl-r) does not set the request header "Pragma: no-cache". Only shift-ctrl-r or ctrl-f5 sets it. The current implementation (ignoring pragma no-cache) does not help you, if someone wants to bring your site down. I think this is a valid ticket and pragma no-cache should not be ignored.
BTW, if you are a developer and want to force a reload, you can add a query-string: http://..../foo/?x
If you are afraid of denial of service attacks, an attacker could send you a different query-string in every request!
I can confirm that. Sending "no-cache" does not give you a fresh page which means it is not following specification:
"The request includes a "no-cache" cache-control directive or, for compatibility with HTTP/1.0 clients, "Pragma: no-cache". Field names MUST NOT be included with the no-cache directive in a request. The server MUST NOT use a cached copy when responding to such a request."
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html