Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTP Caching with Authorization

Given a response from a web server that contains an Authorization header as per the OAuth spec does HTTP caching fail to be useful?

Request1 Authorization : AUTHTOKEN
Request2 Authorization : ANOTHERAUTOTOKEN

In this case given HTTP caching the second request would return the cached response for the first user. This isn't a problem for content that is generic across users, but this feels wrong for a shared cache to be providing responses for other users.

Likewise if we were to use a Vary header and vary by Authorization, this means our cache would store a cached copy per token which surely defeats the purpose of HTTP caching. The browsers local cache (private) would work fine, but this would still mean an origin request from each user at least once per session.

Edit

The service in question requires Authorization for all requests, however based on what I've read, serving responses from a Shared cache that include Authorization headers shouldn't be done unless must-revalidate, public, and s-maxage are present.

My question therefore is, given an API that has both generic (responses the same across all users) and user specific responses, is caching even possible? Having s-maxage and public headers but an authorization header would mean that the cache would resolve UserA's response to UserB, UserC and so on if I'm following the RFC correctly.

like image 756
Finglas Avatar asked Mar 03 '15 16:03

Finglas


People also ask

What is auth cache?

When a network makes use of authentication caching, a user's request to the application server is only forwarded once they are authorized and verified as having the necessary permission to access the requested content.

Which HTTP requests can be cached?

But HTTP caching is applicable only to idempotent requests, which makes a lot of sense; only idempotent and nullipotent requests yield the same result when run multiple times. In the HTTP world, this fact means that GET requests can be cached but POST requests cannot.

How does HTTP support caching?

HTTP caching occurs when the browser stores local copies of web resources for faster retrieval the next time the resource is required. As your application serves resources it can attach cache headers to the response specifying the desired cache behavior.


1 Answers

See http://greenbytes.de/tech/webdav/rfc7234.html#response.cacheability:

"A cache MUST NOT store a response to any request, unless: The request method is understood by the cache and defined as being cacheable, and ... the Authorization header field (see Section 4.2 of [RFC7235]) does not appear in the request, if the cache is shared, unless the response explicitly allows it, ..."

like image 98
Julian Reschke Avatar answered Oct 03 '22 05:10

Julian Reschke