This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new 2bb1de2 Improved: Improve Web Content Caching
2bb1de2 is described below
commit 2bb1de22ccf921d666271d7f8aa217893778f02f
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Mar 27 10:05:37 2020 +0100
Improved: Improve Web Content Caching
(OFBIZ-11477)
According to OWASP OFBiz Web Content Caching is weak:
Independently of the cache policy defined by the web application, if caching web
application contents is allowed, the session IDs must never be cached, so it is
highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2"
directive, to allow web clients to cache everything except the session ID
I though noticed that Set-Cookie2 is deprecated for a long time now. And we new
browsers policies it to often updated. So no need to use Set-Cookie2.
---
.../src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 5a47fe3..e7de929 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -966,6 +966,8 @@ public class RequestHandler {
if (viewNoCache) {
UtilHttp.setResponseBrowserProxyNoCache(resp);
if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module);
+ } else {
+ resp.setHeader("Cache-Control", "Set-Cookie");
}
//Security Headers
Locked
