I have an issue with my Rails application and the browser's cache: When a user logs out of the authenticated section of the site, they are still able to use the back button on the browser to see the authenticated page. I do not want to allow this.
How can I expire the cache and force it to reload.
Thank you
The following headers should do that. Whatever page you're trying protect, add them there.
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: "now"
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Obviously, the now needs to be dynamic.
Just to be safe, you might also want to specify
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
in your pages.
Related
Hi Am having trouble with Servicestack authentication with Xamarin.auth component.
when try authenticate with ServiceStack with WebAuthencator , am getting authenticated but am not able to return to app as in case of Xamarin.Auth only.
[Route("/my-session")]
public class CustomUserSession : AuthUserSession ,IReturn<CustomUserSession>
{
public string GithubProfileUrl { get; set; }
public string TwitterProfileUrl { get; set; }
IRedisClientsManager RedisManager;
public override void OnAuthenticated(IServiceBase authService, IAuthSession session, IOAuthTokens tokens, Dictionary<string, string> authInfo)
{
base.OnAuthenticated(authService, session, tokens, authInfo);
var userAuthRepo = authService.ResolveService<IUserAuthRepository>();
var userAuth = userAuthRepo.GetUserAuth(session.UserAuthId);
}
}
here is the RAW request from JsonServiceClient
GET http://sample.com/api/my_info HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Authorization: DotNetOpenAuth.WebServerClient.XSRF-Session=GGcwh7UvAe3R5ivrrAv7MQ; ss-id=5byYKQ5TYwmYqK3EQ5Vi; ss-pid=82ZTomRsZmdRTTA6dkMF; X-UAId=1
Connection: keep-alive
Host: sample.com
RESPONSE :
HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/8.5
WWW-Authenticate: LinkedIn realm="https://www.linkedin.com/uas/oauth2/authorization"
X-Powered-By: ServiceStack/4.0 Win32NT/.NET
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 25 Nov 2016 19:59:37 GMT
Content-Length: 0
while the same call to /api/my_info in browser redirects to auth and gets the info.
Browser Request :
GET /api/my_info HTTP/1.1
Host: sample.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: ss-pid=pnxqAEU3ExIzrVZ8QdR/; ss-id=qCAkeAUDbQ+QRkZvIQgv; DotNetOpenAuth.WebServerClient.XSRF-Session=lFqnWxGQfdOZEF55MrLT_Q; X-UAId=1
Browser Respone:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: ServiceStack Win32NT/.NET
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 22 Nov 2016 20:38:37 GMT
Content-Length: 9443
Connection: keep-alive
<!doctype html>
<html lang="en-us">
<head>
<title>Simple Snapshot of 11/22/2016</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
BODY, H1, H2, H3, H4, H5, H6, DL, DT, DD {
..............
Also JsonServiceClient gets ss-id but later calling authenticate service failing with 401.
There's an example project with docs showing how to authenticate ServiceStack with Xamarin.Auth available at:
github.com/ServiceStackApps/TechStacksAuth
I have this Content folder to hold js/images/css etc which doesn't change so often. So, I have added a config file to this directory which looks like this -
<configuration>
<system.webServer>
<staticContent>
<!-- <clientCache cacheControlMode="UseExpires" httpExpires="Mon, 30 Nov 2015 20:45:45 GMT"/> -->
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="1.00:00:00"/>
</staticContent>
</system.webServer>
</configuration>
When I load the page for the first time, I can see these response/request headers for a requested js file -
Response Headers
Accept-Ranges:bytes
Cache-Control:max-age=86400
Content-Encoding:gzip
Content-Length:1730
Content-Type:application/x-javascript
Date:Mon, 30 Nov 2015 12:14:31 GMT
ETag:"038394f8fd11:0"
Last-Modified:Mon, 26 Oct 2015 14:14:08 GMT
Server:Microsoft-IIS/7.5
Vary:Accept-Encoding
X-Powered-By:ASP.NET
Request Headers
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Host:dev.admin.ccmportal.williamslea.com
Pragma:no-cache
Referer:http://dev.admin.ccmportal.williamslea.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Two questions -
When I re-load the page using F5, I see same response headers with
content length of 1730. Why content is reloaded even if I have set
it to be cached for 1 day?
What does Cache-Control:no-cache means in Request Header?
Thank you!
Content-Length will always show the content length, even when the content is pulled from cache.
Cache-Control: no-cache tells the browser it SHOULD forward the request toward the origin server even if it has a cached copy of what is being requested.
Content-Length spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
Cache-Control spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
So it looks like your clientCache configuration is working correctly however it also looks like you're browser is not using the cache as per Cache-Control:no-cache
Do you have cache disabled in your dev tools or something similar?
Some weird symbols get displayed : "", in the kendo editor control, On selecting "insert ordered list" button(in kendo editor toolbar).
This issue occurs only when we change cdn reference(http://kendo.cdn.telerik.com/2014.2.716/js/kendo.all.min.js) to a local file reference(~/Scripts/kendo/2014.2.716/kendo.all.min.js)
, which contains the same data.
This is working ->
<script charset="UTF-8" src="http://kendo.cdn.telerik.com/2014.2.716/js/kendo.all.min.js"></script>
But this is not working ->
<script charset="UTF-8" src="~/Scripts/kendo/2014.2.716/kendo.all.min.js" ></script>
After going through this link: http://www.telerik.com/forums/editor-adding-characters-iuml-raquo-iquest- .
I made few changes but, it didn't fix the issue.
Changes :
1. Changed encoding type of the local file to UTF-8
2. Specified charset for local file
<script charset="UTF-8" src="~/Scripts/kendo/2014.2.716/kendo.all.min.js" ></script>
Added meta tag
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Since the data in the local file is same as the CDN reference. I am suspecting the response headers. You can find it below.
Please let me know if you have any suggestions to fix this issue.
My Server Environment is:-
ASP.net MVC, C#, IIS 8.0 express
Response headers for kendo CDN js file:-
Access-Control-Allow-Origin:*
Age:2090036
Cache-Control:public
Cache-Control:max-age=315360000
Connection:Keep-Alive
Content-Encoding:gzip
Content-Type:application/x-javascript
Date:Mon, 31 Aug 2015 05:26:00 GMT
Expires:Thu, 31 Dec 2037 23:55:55 GMT
Last-Modified:Wed, 16 Jul 2014 11:39:32 GMT
Proxy-Connection:Keep-Alive
Server:nginx
Transfer-Encoding:chunked
Via:1.1 f918bd73555184c9b61c8f42f80c79d1.cloudfront.net (CloudFront)
X-Amz-Cf-Id:emh9zGudv4PxjIHbO0ZEbGIGJoTIGViqcncMZ6ciuUD1geap_pIdfg==
X-Cache:Hit from cloudfront
Response headers for local js file:-
Accept-Ranges:bytes
Access-Control-Allow-Headers:Content-Type
Access-Control-Allow-Methods:POST, GET, OPTIONS
Access-Control-Allow-Origin:*
Content-Length:1731401
Content-Type:application/javascript
Date:Thu, 24 Sep 2015 10:01:29 GMT
ETag:"fbc07be8aaf6d01:0"
Last-Modified:Thu, 24 Sep 2015 09:25:09 GMT
Server:Microsoft-IIS/8.0
X-Powered-By:ASP.NET
As far as my research goes, there are several steps in order to make sure that browser caching is disabled. These HTTP headers must be set:
Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: -1
Last-Modified: -1
I have found out that this can be done in two ways:
Way One: use the web.config file
<add name="Cache-Control" value="no-store, no-cache,
must-revalidate, proxy-revalidate"/>
<add name="Pragma" value="no-cache" />
<add name="Expires" value="-1" />
<add name="Last-Modified" value="-1" />
Way Two: use the meta tags in _Layout.cshtml
<meta http-equiv="Cache-Control" content="no-cache, no-store,
must-revalidate, proxy-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="-1" />
<meta http-equiv="Expires" content="-1" />
My Question: which is the better approach? Or, alternatively, are they equally acceptable? How do these all relate to different platforms? Which browsers would honor what headers?
In addition, please feel free to add anything I've missed, if any.
Okay folks, seems I made a blunt mistake. There is a best way and that is not using meta tags. The only correct way is to use headers.
Why not use meta tags? Because they are guaranteed not to work with
proxies, which do not read (not supposed to read) the HTML body; they
rely on the headers.
When both Cache-Control and Expires are present, Cache-Control takes
precedence. Source here.
Cache-Control general-header field is used to specify directives that
MUST be obeyed by all caching mechanisms along the request/response
chain. Source here.
I'm working with WebHarvest to fetch data from a site that requires logging in.
It's setup like this:
Page 1 = Login page
Page 2 = Login validation page
Page 3 = Statistics page
On page 2 a cookie is set. When monitoring the opening of Page 2 with Firebug I get these headers:
Connection Keep-Alive
Content-Type text/html; charset=UTF-8
Date Tue, 23 Oct 2012 18:25:12 GMT
Keep-Alive timeout=15, max=100
Server Apache/2.0.64 (Win32) JRun/4.0 SVN/1.3.2 DAV/2
Set-Cookie SESSION=hej123;expires=Thu, 16-Oct-2042 18:25:12 GMT;path=/
Transfer-Encoding chunked
When calling the same page with WebHarvest I only get these headers:
Date=Tue, 23 Oct 2012 18:31:51 GMT
Server=Apache/2.0.64 (Win32) JRun/4.0 SVN/1.3.2 DAV/2
Transfer-Encoding=chunked
Content-Type=text/html; charset=UTF-8
It seems that three headers (Set-Cookie, Connection and Keep-Alive) are not found by WebHarvest. Page 1, 2 and 3 are dummys so no actual validation is done. The cookie is always set on the serverside for Page 2.
Here is the WebHarvest code I am currently using:
<var-def name="content2">
<html-to-xml>
<http method="post" url="http://myurl.com/page2.cfm">
<http-param name="Login">sigge</http-param>
<http-param name="Password">hej123</http-param>
<http-param name="doLogin">Logga in</http-param>
<loop item="currField">
<list>
<var name="ctxtNewInputs" />
</list>
<body>
<script><![CDATA[
item = (NvPair) currField.getWrappedObject();
SetContextVar("itemName", item.name);
SetContextVar("itemValue", item.value);
]]></script>
<http-param name="${item.name}"><var name="itemValue" /></http-param>
</body>
</loop>
<script><![CDATA[
String keys="";
for(int i=0;i<http.headers.length;i++) {
keys+=(http.headers[i].key + "=" + http.headers[i].value +"\n---\n");
}
SetContextVar("myCookie", keys);
]]></script>
<file action="write" path="c:/kaka.txt">
<var name="myCookie"/>
</file>
</http>
</html-to-xml>
</var-def>
Edit:
when checking I noticed that the cookie is set in WebHarvest, even if the http header can't be found programatically. Is it possible that some response headers are hidden from usage?
Does anyone know a work-around for this problem?
Thank you and best regards,
SiggeLund
The way to get http header value into user-defined variable scoped for the whole config is the following:
<http url="your.url.here" method="GET">
<!--Any settings you apply for the POST/GET call-->
</http>
<!--Now you've got your http object you are going to get header value from -->
<!--At it simplest the acquisition of value goes like the below-->
<var-def name="fifth_header_val">
<script return="http.headers[5].value"/>
</var-def>
The above is just to give a clue. You can iterate over http.headers index and collect keys and values you need for your particular task.