This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release18.12 by this push:
new b466b96 Improved: Improve Web Content Caching
b466b96 is described below
commit b466b967414f62d17b6cd4f38e62f80b829199ca
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Mar 27 10:05:37 2020 +0100
Improved: Improve Web Content Caching
(OFBIZ-11477)
According to OWASP OFBiz Web Content Caching is weak:
Independently of the cache policy defined by the web application, if caching web
application contents is allowed, the session IDs must never be cached, so it is
highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2"
directive, to allow web clients to cache everything except the session ID
I though noticed that Set-Cookie2 is deprecated for a long time now. And we new
browsers policies it to often updated. So no need to use Set-Cookie2.
---
.../src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 3991bcb..e1d1745 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -1022,6 +1022,8 @@ public class RequestHandler {
if (viewNoCache) {
UtilHttp.setResponseBrowserProxyNoCache(resp);
if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
+ } else {
+ resp.setHeader("Cache-Control", "Set-Cookie");
}
//Security Headers
Locked
