The Araneida mailing list doesn't seem to have much activity.
Here's the problem: I'm finding that even though my
cookie/authorization code seems to be working correctly (it's following
the correct paths), I'm able to reach protected pages when the cookie
is not present, and sometimes requests for the protected page is not
returning the correct page when the cookie *is* present.
I think this is a caching issue. I'm using request-redirect with the
cache-control to force both the login pages and the protected pages to
be reloaded, but I get a feeling this isn't working.
Is there any solid, working login/authorization code for Araneida I can
find on the web? UCW isn't quite there yet, and cliki seems to have
the same issue, since that's what I used as a jumping off point.
Jonathon McKitrick wrote:
> I think this is a caching issue. I'm using request-redirect with the
> cache-control to force both the login pages and the protected pages to
> be reloaded, but I get a feeling this isn't working.
You should probably be using the cache-related HTTP response headers,
no?
In HTTP 1.0, the server can tell the client (or some caching proxy in
between) how long a page, or any other element such as an image, should
be retained. That's via the Expires: header.
In 1.1 there is the Cache-Control: header with a bunch more bells and
whistles. That's probably what you want to use: Cache-Control:
no-cache.
Kaz Kylheku wrote:
> You should probably be using the cache-related HTTP response headers,
> no?
Actually, I am. Both the <meta> tags in the html AND the actual http
headers in Araneida. But Firefox keeps returning the last copy of the
page accessed.
If I'm logged out and access the restricted page, I get the 'denied'
page. Fine.
If I'm logged out and then log in, I am redirected to the 'thank you'
page. Also fine.
But if I log in and then out, I can still see the restricted page from
the cache. Not good.
If I log in with a bad user/password, then log in correctly, I get the
'incorrect id' rather than the 'thank you' page. Also not good.
Jonathon McKitrick wrote:
> Kaz Kylheku wrote:
> > You should probably be using the cache-related HTTP response headers,
> > no?
>
> Actually, I am. Both the <meta> tags in the html AND the actual http
> headers in Araneida. But Firefox keeps returning the last copy of the
> page accessed.
The meta tags are useless, because caching proxies tend to ignore them.
It's not exactly reasonable for a caching proxy to parse the HTML
streaming through it to determine cache-control information. A caching
proxy should just store the file, and retrieve it based on URL, using
the HTTP headers as a clue how long to store the file, or whether to do
it at all.
So forget the meta tags!
Are the headers being pushed to your browser properly? I'd whip out
tcpdump or ethereal and see what's actually going on.
> If I'm logged out and access the restricted page, I get the 'denied'
> page. Fine.
> If I'm logged out and then log in, I am redirected to the 'thank you'
> page. Also fine.
> But if I log in and then out, I can still see the restricted page from
> the cache. Not good.
Did you verify that there actually was a "Cache-Control: no-cache"
header pushed out to the browser?
If the browser gets that and still caches the page, what can you do?
When something is pulled from a cache, the server never sees any
request, so nothing can be done on that end.
> Did you verify that there actually was a "Cache-Control: no-cache"
> header pushed out to the browser?
>
> If the browser gets that and still caches the page, what can you do?
> When something is pulled from a cache, the server never sees any
> request, so nothing can be done on that end.
Also, check whether this behavior isn't going on: the browser
validating the restriced page and getting a 304 (not modified) from
your server.
Kaz Kylheku wrote:
> Also, check whether this behavior isn't going on: the browser
> validating the restriced page and getting a 304 (not modified) from
> your server.
Actually, I think I *am* seeing this. What now?