Simplify cache disabling headers.

This patch changes the headers sent to prevent errornous caching of the
responses sent to only use a single header:

   Cache-Control: private, must-revalidate

This single header should ensure that the data isn't shared between
multiple users, and that the browser checks that the content is still
valid for each request (enabling logout to work as expected).

This drops the Exires-header, which should be unnecessary since all
modern browsers support the Cache-Control-header.

Thanks to Arthur Müller for providing this patch.

git-svn-id: https://modmellon.googlecode.com/svn/trunk@223 a716ebb1-153a-0410-b759-cfb97c6a1b53

3 files changed, 13 insertions, 25 deletions

diff --git a/auth_mellon.h b/auth_mellon.h
index e192850..f99cf6f 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -342,7 +342,7 @@ void am_delete_request_session(request_rec *r, am_cache_entry_t *session);
 
 char *am_reconstruct_url(request_rec *r);
 int am_check_permissions(request_rec *r, am_cache_entry_t *session);
-void am_set_nocache(request_rec *r);
+void am_set_cache_control_headers(request_rec *r);
 int am_read_post_data(request_rec *r, char **data, apr_size_t *length);
 char *am_extract_query_parameter(apr_pool_t *pool,
                                  const char *query_string,
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index e471bdc..f93ba6e 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -3168,8 +3168,8 @@ int am_auth_mellon_user(request_rec *r)
 	return DECLINED;
     }
 
-    /* Disable all caching within this location. */
-    am_set_nocache(r);
+    /* Set defaut Cache-Control headers within this location */
+    am_set_cache_control_headers(r);
 
     /* Check if this is a request for one of our endpoints. We check if
      * the uri starts with the path set with the MellonEndpointPath
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index c383d54..ad9e90a 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -391,9 +391,7 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
     return OK;
 }
 
-
-/* This function disables caching of the response to this request. It does
- * this by setting the Pragme: no-cache and Cache-Control: no-cache headers.
+/* This function sets default Cache-Control headers.
  *
  * Parameters:
  *  request_rec *r       The request we are handling.
@@ -401,31 +399,21 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
  * Returns:
  *  Nothing.
  */
-void am_set_nocache(request_rec *r)
+void am_set_cache_control_headers(request_rec *r)
 {
-     const char *user_agent;
-
-    /* Setting the headers inn err_headers_out ensures that they will be
+    /* Send Cache-Control header to ensure that:
+     * - no proxy in the path caches content inside this location (private),
+     * - user agent have to revalidate content on server (must-revalidate).
+     *
+     * But never prohibit specifically any user agent to cache or store content
+     *
+     * Setting the headers in err_headers_out ensures that they will be
      * sent for all responses.
      */
     apr_table_setn(r->err_headers_out,
-		   "Expires", "Thu, 01 Jan 1970 00:00:00 GMT");
-    apr_table_setn(r->err_headers_out,
-		   "Cache-Control", "private, must-revalidate");
-
-    /* 
-     * Never use Cache-Control: no-cache for IE
-     */
-    user_agent = apr_table_get(r->headers_in, "User-Agent");
-    if ((user_agent == NULL) ||
-         (strstr(user_agent, "compatible; MSIE ") == NULL) ||
-         (strstr(user_agent, "Opera") != NULL)) {
-        apr_table_addn(r->err_headers_out,
-		       "Cache-Control", "no-cache, no-store");
-    }
+                   "Cache-Control", "private, must-revalidate");
 }
 
-
 /* This function reads the post data for a request.
  *
  * The data is stored in a buffer allocated from the request pool.