Bj�rn Mork <bjorn@mork.no> writes:
> We need to adapt
> to this imperfection by never caching a text object having a
> Set-Cookie or Set-Cookie2 field.
>
> Is this possible?
Well, I guess silence means no. Looking at the code, I think the best
solution would be adding a "no_cache_reply" access list and an acl
rule for matching reply header fields (or maybe header fields in general).
However, lazy as I am, I only did a quick and dirty hack like this:
--- squid-2.6-DEVEL-20021025-orig/configure.in 2002-10-25 02:14:03.000000000 +0200
+++ squid-2.6-DEVEL-20021025/configure.in 2002-10-25 23:49:05.000000000 +0200
@@ -862,6 +862,21 @@
fi
])
+dnl Disable caching of responses with Set-Cookie
+AC_ARG_ENABLE(caching-setcookie,
+[ --disable-caching-setcookie
+ Squid will cache responses with Set-Cookie in full
+ compliance with RFC 2965. However, many web sites
+ fail to add an appropriate Cache-Control field when
+ using Set-Cookie, risking the privacy of clients
+ using a shared cache like Squid. This will disable
+ caching of text objects with Set-Cookie],
+[ if test "$enableval" = "no" ; then
+ echo "Disabling caching of Set-Cookie"
+ AC_DEFINE(DONT_CACHE_SETCOOKIE, 1,[Disable caching of objects with Set-Cookie. Enabled by default.])
+ fi
+])
+
dnl Select Default hosts file location
AC_ARG_ENABLE(default-hostsfile,
[ --enable-default-hostsfile=path
--- squid-2.6-DEVEL-20021025-orig/src/http.c 2002-10-04 11:53:35.000000000 +0200
+++ squid-2.6-DEVEL-20021025/src/http.c 2002-10-25 23:55:22.000000000 +0200
@@ -262,6 +262,22 @@
if ((v = httpHeaderGetStr(hdr, HDR_CONTENT_TYPE)))
if (!strncasecmp(v, "multipart/x-mixed-replace", 25))
return 0;
+
+#ifdef DONT_CACHE_SETCOOKIE
+ /*
+ * Many sites use Set-Cookie on private documents without the
+ * appropriate Cache-Control: private directive. This may cause
+ * clients to get other clients personal information from the
+ * cache. To be on the safe side, we just disable caching of any
+ * text object with Set-Cookie.
+ */
+ if (httpHeaderHas(hdr, HDR_SET_COOKIE) && (v = httpHeaderGetStr(hdr, HDR_CONTENT_TYPE)))
+ if (!strncasecmp(v, "text/", 5)) {
+ debug(11, 4) ("httpCachableReply: Uncachable: text object with Set-Cookie\n");
+ return 0;
+ }
+#endif
+
switch (httpState->entry->mem_obj->reply->sline.status) {
/* Responses that are cacheable */
case HTTP_OK:
I am amazed that noone else on this list seem to have run into this
problem. It took us just a few days of testing squid on one of our
proxies before users started complaining about seeing other users'
personal data on some sites.
Bj�rn
Received on Mon Oct 28 2002 - 02:11:09 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:55 MST