Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#10225 closed Uncategorized (invalid)

Cache middleware does not honor "Cache-Control: no-cache" in request headers

Reported by: erny Owned by: nobody
Component: Core (Cache system) Version: 1.0
Severity: Normal Keywords:
Cc: hv@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

How to test:

  1. Create or add to views.py:
    import datetime
    
    from django.http import HttpResponse
    from django.views.decorators.cache import cache_page
    
    
    @cache_page(2 * 60)
    def cache_test(request):
        now = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')
        txt = u"Fecha/Hora %s" % now
        return HttpResponse(txt, 'text/plain')
    
    
  1. Create or add to urls.py:
    from django.conf.urls.defaults import patterns
    
    urlpatterns = patterns(
        '',
        (r'^cache_test$', 'views.cache_test'),
    )
    
    
  1. Include in settings.py your backend (I use memcache):
    CACHE_BACKEND = 'memcached://localhost:11211/
    
  1. Run development server: ./manage.py runserver
  1. Open Firefox and get URL: http://localhost/cache_test. The current date/time should appear.
  1. Press Ctrl-F5 in the browser to force reload. The same text as in step 5. appears, instead of the current date/time.

Change History (5)

comment:1 Changed 6 years ago by julianb

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

I can confirm that. Sending "no-cache" does not give you a fresh page which means it is not following specification:

"The request includes a "no-cache" cache-control directive or, for compatibility with HTTP/1.0 clients, "Pragma: no-cache". Field names MUST NOT be included with the no-cache directive in a request. The server MUST NOT use a cached copy when responding to such a request."

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

comment:2 Changed 6 years ago by anonymous

Regardless of what the rfc says you generally don't want users hitting ctrl+f5 bring your frontpage down.

comment:3 Changed 6 years ago by JohnMoylan

  • Resolution set to invalid
  • Status changed from new to closed

I think this ticket confuses HTTP caching with application caching. The no-cache directive sets HTTP headers that are used to validate content on a HTTP proxy cache or web browser cache. The documentation also makes a clear distinction between these types of caching.

This ticket should be marked as invalid.

comment:4 Changed 4 years ago by guettli

  • Cc hv@… added
  • Easy pickings unset
  • Severity set to Normal
  • Type set to Uncategorized
  • UI/UX unset

comment:5 Changed 4 years ago by guettli

A normal reload (F5 or ctrl-r) does not set the request header "Pragma: no-cache". Only shift-ctrl-r or ctrl-f5 sets it. The current implementation (ignoring pragma no-cache) does not help you, if someone wants to bring your site down. I think this is a valid ticket and pragma no-cache should not be ignored.

BTW, if you are a developer and want to force a reload, you can add a query-string: http://..../foo/?x

If you are afraid of denial of service attacks, an attacker could send you a different query-string in every request!

Last edited 4 years ago by guettli (previous) (diff)
Note: See TracTickets for help on using tickets.
Back to Top