Re: [SQU] 304response does not override cached headers.

From: Hirohiko Nakano <[email protected]>
Date: Mon, 11 Sep 2000 21:46:44 +0900

Alex Rousskov wrote:
>On Sun, 20 Aug 2000, Hirohiko Nakano wrote:
>
>> If the conditional GET used a strong cache validator (see section
>> 13.3.3), the response SHOULD NOT include other entity-headers.
>> Otherwise (i.e., the conditional GET used a weak validator), the
>> response MUST NOT include other entity-headers; this prevents
>> inconsistencies between cached entity-bodies and updated headers.
>>
>> *** This section does not mention how to handle general headers. I
>> think Pragma header is allowed in 304responses. ***
>
>Yes, looks like you are right. I missed the "entity-" qualification when
>reading the specs. FWIW, I have seen several non-Squid caches that would
>not update _extension_ headers on 304 replies so you probably should not
>rely on caches complying with this aspect of HTTP without double
>checking. (Pragma is not an extension header, but I would not be
>surprised if caches do not update it either).
>
>While "reasonable", the requirement to update headers is often costly
>and cumbersome to implement so I guess that many cache designers may
>simply ignore it for now.
>
>Alex.
>
>
>--
>To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>

Thank you for your response.

At first, I had a plan to use Authentication-Info header defined in DA authentication spec.
But Squid does not support it, so I checked Http specs in order to chose a suitable header for my purpose.

By the way, Squid will support DA auth in the future?

If Squid supports DA auth in the future, I think that the same problem would occur.

DA auth uses a nonce to reject old (replay attack) requests.
Authentication-Info header includes next-nonce value to update the nonce value which a client uses.

If server cannot send Authentication-Info header in 304 response, squid sends a stale nonce stored
in cache to a client.
Cache-hit is an unhappy event for DA auth?

I think that 304HTTP response can include Authentication-Info header.
I think that Authentication-Info header MUST be passed through by a proxy.

??

----
Hirohiko Nakano  nakano@hp-info.med.osaka-u.ac.jp
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Mon Sep 11 2000 - 06:48:07 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:14 MST