php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #40686 Overly restrictive/invalid headers sent as session cache limiters
Submitted: 2007-03-01 22:52 UTC Modified: 2019-09-12 10:37 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: spam02 at pornel dot net Assigned:
Status: Open Package: *General Issues
PHP Version: 4CVS-2007-03-01 (snap) OS: *
Private report: No CVE-ID: None
 [2007-03-01 22:52 UTC] spam02 at pornel dot net
Description:
------------
Currently, *by default*, PHP sends *the most restrictive* anti-caching directives possible. 

* no-store is intended as a security measure, not regular cache-control
* must-revalidate alone doesn't prevent caching, just requires browser to revalidate it after it expires. This however, with no-cache prevents use of "offline browsing" feature.
* pre-check and post-check are non-standard directives that let Internet Explorer revalidate cached objects less frequently and/or asynchronously.

Please don't use these directives in the default configuration (called "nocache" cache_limiter), as their use in majority of cases is either unjustified or invalid and causes performance and usability problems (for example: https://bugzilla.mozilla.org/show_bug.cgi?id=261312).

BTW: it turns out that Opera (and most likely other browser vendors) do not fully support these directives *because* PHP abuses them (http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the "This abuse is the reason why must-revalidate is only obeyed for secure sites.")

Reproduce code:
---------------
<?php session_start();


Expected result:
----------------
Cache-control: no-cache


Actual result:
--------------
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-12 10:37 UTC] cmb@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2019-09-12 10:37 UTC] cmb@php.net
JFTR: the IE specific directives are removed as of PHP 7.0.0.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 08:01:28 2024 UTC