On Tue, 23 Apr 2002 11:52:26 +0100, Richard Barrett <R.Barrett@ftel.co.uk> wrote:
Unless someone can refute this scenario (please, please do) then it appears to me that Cache-Control headers need to be added to all responses conditional on authentication by Zope using cookie authentication.
I believe you are correct. Cache-Control:private is needed on pages accessed under cookie authentication, and probably Cache-Control:no-cache on the page that sets the cookie.
Maybe Zope should just add a Cache-Control header with a value of private, no-cache or no-store to all responses that its security sub-system determines are to other than the Anonymous user. It would do no harm if Basic Authentication were being used and would plug the security hole I have posited if cookie authentication were in use.
Yes, but it must allow the published method to set its own headers first. I once had a patch that did the opposite of that: It set Cache-Control:public on all responses that were accessed by an authenticated user, if it determined that an unauthenticated user could have accessed them too.
I'd propose a patch myself but I am not that confident in hacking around Zope's security management code.
Put it in the Collector. Toby Dickenson tdickenson@geminidataloggers.com