RE: Web Mails

From: Dave J Woolley <[email protected]>
Date: Thu, 22 Jul 1999 18:13:49 +0100

> From: Ubaldo Lescano [SMTP:ulescano@tsi.com.pe]
>
> refresh_pattern -i latinmail.com 60 100% 240 reload-into-ims
> override-lastmod
>
        It wouldn't surprise me if override-lastmod is making
        a page cacheable which should not be cacheable. The
        only difference between two different users is probably
        the cookie sent, so making the page falsely cacheable
        would likely result in getting other people's mail.

        Sites that use cookies instead of proper HTTP
        authentication (most :-() should use:

        Cache-Control: private

        to try to avoid this problem (pages requested with
        authentication have this implied by default, but
        cookies are so endemic that you can't make such
        assumptions when they are present).
        However, this is an HTTP 1.1 feature,
        so I'm not certain that squid would obey it. They
        might be able to use Pragma: no-cache, as an HTTP
        1.0 fallback, but I would need to check the specs to
        make sure that this is ignored for HTTP 1.1 with
        Cache-Control headers.

        Generally, though, you cannot expect web accesses to
        behave correctly if you set any of the modifiers on
        refresh patterns.

        You also can't generally expert commercial web site
        operators to understand the details of the protocol,
        or to sympathise with ISPs that are poorly connected.

        If the browser exits in response to a page, it is either
        broken on insecure, and this cannot be considere a
        problem with the proxy.
Received on Thu Jul 22 1999 - 11:04:45 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:29 MST