This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release17.12 by this push:
new 7e03082 Improved: Improve Web Content Caching
7e03082 is described below
commit 7e03082d92cf6b7c5434fac3f50f5a7a0415a8b9
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Mar 27 10:05:37 2020 +0100
Improved: Improve Web Content Caching
(OFBIZ-11477)
According to OWASP OFBiz Web Content Caching is weak:
Independently of the cache policy defined by the web application, if caching web
application contents is allowed, the session IDs must never be cached, so it is
highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2"
directive, to allow web clients to cache everything except the session ID
I though noticed that Set-Cookie2 is deprecated for a long time now. And we new
browsers policies it to often updated. So no need to use Set-Cookie2.
---
.../src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 864f352..6802da1 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -954,6 +954,8 @@ public class RequestHandler {
if (viewNoCache) {
UtilHttp.setResponseBrowserProxyNoCache(resp);
if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
+ } else {
+ resp.setHeader("Cache-Control", "Set-Cookie");
}
//Security Headers
Locked
