Cache-Control Header...

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Cache-Control Header...

Post by seodevhead »

Hey gang,

I have a quick question regarding the Cache-Control header (or lack thereof).

I built a fairly large php/mysql based website that is very interactive for users, much like forums are. Though there is a user registration, most pages are visible to the public, and being a registered member only gives you access to post comments etc... similar to a blog.

Right now, all my php pages are served with NO Cache-Control header... it is not sent to the client at all. But on these very pages I use cookies to test whether visitors are logged in to my site, and if so, that page will display things like form fields and text boxes where they can submit comments. Unregistered users simply don't see those forms.

This is all pretty standard stuff... but I am worried that a registered user will get one of these pages cached in a proxy cache or public cache (since there is no explicit Cache-Control header sent) and didn't know whether or not I was vulnerable to random unregistered people pulling a public cache of a page on my site that was only meant to be seen by registered users.

I hope my questions makes sense.

And if this is the case... do all I need to do is append a 'Cache-Control: private, must-revalidate' header to all my php pages?

I guess the biggest question is, am I at risk by not using a Cache-Control header... at risk of my "registered-only" page content being publicly cached, that is?

Thanks so much for any help and guidance.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Cache-Control Header...

Post by josh »

The headers are just suggestions to the browser which *should* be followed. If someone wants to cache a registered page they are going to do it

How would a proxy get the cookie value to cause your application to mismatch the user's identity ( registered vs not registered? )

IE can sometimes cache dynamic pages.
Post Reply