php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #40686 Overly restrictive/invalid headers sent as session cache limiters
Submitted: 2007-03-01 22:52 UTC Modified: 2019-09-12 10:37 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: spam02 at pornel dot net Assigned:
Status: Open Package: *General Issues
PHP Version: 4CVS-2007-03-01 (snap) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: spam02 at pornel dot net
New email:
PHP Version: OS:

 

 [2007-03-01 22:52 UTC] spam02 at pornel dot net
Description:
------------
Currently, *by default*, PHP sends *the most restrictive* anti-caching directives possible. 

* no-store is intended as a security measure, not regular cache-control
* must-revalidate alone doesn't prevent caching, just requires browser to revalidate it after it expires. This however, with no-cache prevents use of "offline browsing" feature.
* pre-check and post-check are non-standard directives that let Internet Explorer revalidate cached objects less frequently and/or asynchronously.

Please don't use these directives in the default configuration (called "nocache" cache_limiter), as their use in majority of cases is either unjustified or invalid and causes performance and usability problems (for example: https://bugzilla.mozilla.org/show_bug.cgi?id=261312).

BTW: it turns out that Opera (and most likely other browser vendors) do not fully support these directives *because* PHP abuses them (http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the "This abuse is the reason why must-revalidate is only obeyed for secure sites.")

Reproduce code:
---------------
<?php session_start();


Expected result:
----------------
Cache-control: no-cache


Actual result:
--------------
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-12 10:37 UTC] cmb@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2019-09-12 10:37 UTC] cmb@php.net
JFTR: the IE specific directives are removed as of PHP 7.0.0.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 09:01:26 2024 UTC