Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTTP Caching with Authorization

Tags:

http

caching

http-caching

Given a response from a web server that contains an Authorization header as per the OAuth spec does HTTP caching fail to be useful?

Request1 Authorization : AUTHTOKEN
Request2 Authorization : ANOTHERAUTOTOKEN

In this case given HTTP caching the second request would return the cached response for the first user. This isn't a problem for content that is generic across users, but this feels wrong for a shared cache to be providing responses for other users.

Likewise if we were to use a Vary header and vary by Authorization, this means our cache would store a cached copy per token which surely defeats the purpose of HTTP caching. The browsers local cache (private) would work fine, but this would still mean an origin request from each user at least once per session.

Edit

The service in question requires Authorization for all requests, however based on what I've read, serving responses from a Shared cache that include Authorization headers shouldn't be done unless must-revalidate, public, and s-maxage are present.

My question therefore is, given an API that has both generic (responses the same across all users) and user specific responses, is caching even possible? Having s-maxage and public headers but an authorization header would mean that the cache would resolve UserA's response to UserB, UserC and so on if I'm following the RFC correctly.

like image 756
Finglas Avatar asked Mar 03 '15 16:03

Finglas

People also ask

What is auth cache?

When a network makes use of authentication caching, a user's request to the application server is only forwarded once they are authorized and verified as having the necessary permission to access the requested content.

Which HTTP requests can be cached?

But HTTP caching is applicable only to idempotent requests, which makes a lot of sense; only idempotent and nullipotent requests yield the same result when run multiple times. In the HTTP world, this fact means that GET requests can be cached but POST requests cannot.

How does HTTP support caching?

HTTP caching occurs when the browser stores local copies of web resources for faster retrieval the next time the resource is required. As your application serves resources it can attach cache headers to the response specifying the desired cache behavior.

1 Answers

See http://greenbytes.de/tech/webdav/rfc7234.html#response.cacheability:

"A cache MUST NOT store a response to any request, unless: The request method is understood by the cache and defined as being cacheable, and ... the Authorization header field (see Section 4.2 of [RFC7235]) does not appear in the request, if the cache is shared, unless the response explicitly allows it, ..."

like image 98
Julian Reschke Avatar answered Oct 03 '22 05:10

Julian Reschke
Sign in to Comment

Related questions

C# method to do URL encoding?
CONNECT request to a forward HTTP proxy over an SSL connection?
Wordpress wp-admin redirects to https
iOS Can't perform HTTP GET request -Error Domain=NSURLErrorDomain Code=-1012
How do you find a free TCP server port using Ruby?
SOAP versus HTTP [duplicate]
Why Chrome Dev Tool shows a 200 status code instead of 304
Is it possible to use parameterized URL templates with angular $http service
HTTP POST using XHR with Chunked Transfer Encoding
Android http Tunnel using VpnService
URL Path Parameter Use Cases
Can you make a HTTP PATCH request from Javascript?
Is there a alternative default port number for https (443) which is above 1024?
How does HTTP file upload work for large files?
C# send image over HTTP
Decoding RFC 2231 headers
How to use http/2 with Okhttp on Android devices?
HTTP Digest Authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!