PHP :: Request #40686 :: Overly restrictive/invalid headers sent as session cache limiters

Overly restrictive/invalid headers sent as session cache limiters

Submitted:

2007-03-01 22:52 UTC

Modified:

2019-09-12 10:37 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

spam02 at pornel dot net

Assigned:

Status:

Open

Package:

*General Issues

PHP Version:

4CVS-2007-03-01 (snap)

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	spam02 at pornel dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-03-01 22:52 UTC] spam02 at pornel dot net

Description:
------------
Currently, *by default*, PHP sends *the most restrictive* anti-caching directives possible. 

* no-store is intended as a security measure, not regular cache-control
* must-revalidate alone doesn't prevent caching, just requires browser to revalidate it after it expires. This however, with no-cache prevents use of "offline browsing" feature.
* pre-check and post-check are non-standard directives that let Internet Explorer revalidate cached objects less frequently and/or asynchronously.

Please don't use these directives in the default configuration (called "nocache" cache_limiter), as their use in majority of cases is either unjustified or invalid and causes performance and usability problems (for example: https://bugzilla.mozilla.org/show_bug.cgi?id=261312).

BTW: it turns out that Opera (and most likely other browser vendors) do not fully support these directives *because* PHP abuses them (http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the "This abuse is the reason why must-revalidate is only obeyed for secure sites.")

Reproduce code:
---------------
<?php session_start();


Expected result:
----------------
Cache-control: no-cache


Actual result:
--------------
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-09-12 10:37 UTC] cmb@php.net

-Package: Feature/Change Request +Package: *General Issues

[2019-09-12 10:37 UTC] cmb@php.net

JFTR: the IE specific directives are removed as of PHP 7.0.0.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 11:01:31 2025 UTC