no-cache vs no-store

[siddharthkhare]

Hi All,
what is the diference between these two cache control header.

no-cache and no-store.

I have read the w3.org explanation.

So lets say I am using only no-cache ....my understanding is that
nothing is cached and nothing is writen to disk.

but what happens when we use no-store....i think..nothing is written
to disk but it could be cached.
Now my question where is this cache located...is it only in memory
?....if it is written to disk how log is it there and when does it gets
cleaned.

Is no-cache more secure than no-store ..why?

We can assume IIS and IE6.0 SP2 being used.
Thanks
Siddharth

 

[bruce barker \(sqlwork.com\)]

non-cache and no-store do not really mean not to cache, it means do not
reuse for a subsequent request.

remember the browser is not the only cache. proxy servers cache, web servers
cache, browsers cache, isps add caching routers. in the proxy server case,
it will fetch the page, but it need to maintain it in the cache until the
client has read all of it (as the client network may be a lot slower then
the proxy). if the proxy is handling 100's of requests at the same time, it
may not have enough memory to store these pages in memory and may not honor
the directive anyway.


see this w3c spec on building cache managers. read section 14.9.2

http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

-- bruce (sqlwork.com)

 

[siddharthkhare]

Bruce,
I understand that caching can happen at various places. But if you set
the caching headers at ISS- Website level than it should apply to all
i.e IE,proxies etc..

thanks for your response but I was tryng to understand what is the
difference between non-cache and no-store?

Also if you look at "no-store" explanation on W3 site...this is what
it says

"The purpose of the no-store directive is to prevent the inadvertent
release or retention of sensitive information (for example, on backup
tapes). "

so my inderstanding was that it will not allow anything pesisted to
IE,proxy etc...I IE case i thought it will be TempInternet files folder
etc.


In other words is it that no-store is doing to achieve prevention of
the inadvertent release or retention of sensitive information?
what is the difference between no-cahe and no-store ?

Thanks
Siddharth

 

[Guest]

I have found that no-store is what to use if you do not want firefox to
display the original downloaded content. For example I wrote an app that let
people change where boxed in areas of a web site were located. Like Google
Personal or Windows Live. Now if a user moved things around, which would be
saved through AJAX and happened back to a cached/stored version of the page
none of there changes would show up because the request is not being made to
the server. So I always use:

Response.Cache.SetCacheability(HttpCacheability.ServerAndNoCache);
Response.Cache.SetAllowResponseInBrowserHistory(false);
Response.Cache.SetNoStore();

If I absouletely want the client to have to go to the server for the
request, instead of hitting one of the cached locations.

 

[Guest]

no-cache - will not save the file to temp internet files like you mentioned.

no-store - will not save the request or the response to and from the server
anywhere, thus forcing the request to be renewed with each visit as I
explained prior. Also I have read it makes it so you cannot use "File > Save"

 

[siddharthkhare]

Thanks Jeremy...

Is it correct to say that no-store is a super set of no-cache.

in other words when you use no-store it will not save anything just
like using no-cache in temp folders etc.. plus restrict other things
like "save as" also.

Thanks
Siddharth

 

[Guest]

Not Necassarily because if you have caching allowed and no-store set it will
force the user to make a new request, but I believe if that request returns
that there is not a difference between the content that is in your cache it
will let the cache serve it to you.

 

[siddharthkhare]

Thaks Jeremy
what is the difference between "Pragma: No-cache" and "Cache Conrol :
no-cache"

 

[Anthony Jones]

Hi All,
what is the diference between these two cache control header.

no-cache and no-store.

I have read the w3.org explanation.

So lets say I am using only no-cache ....my understanding is that
nothing is cached and nothing is writen to disk.

but what happens when we use no-store....i think..nothing is written
to disk but it could be cached.
Now my question where is this cache located...is it only in memory
?....if it is written to disk how log is it there and when does it gets
cleaned.

Is no-cache more secure than no-store ..why?

We can assume IIS and IE6.0 SP2 being used.
Thanks
Siddharth

There seems to be considerable confusion in this thread. However the w3
specs are quite clear as to the function of these values.

Cache-Control: no-cache

When an responses passes through a cache and the entity is cachable (has an
ETag or Last-Modified-Date or possible other rules a cache might use) it
will be cached (even with this header present).

When a subsequent request for that entity arrives at the cache ordinarily
the cache may have used various rules ot determine whether it passes on the
request to the original server (or other proxy in the chain) or whether to
supply the cached entity it has. However since the the original response
carried the no-cache directive the cache MUST not supply the cached entity
with out checking back with the original server. It will use a GET with
If-Modified-Since and/or if-no-match headers and may get a 304 response
indicating it can go ahead and use the cached entity.

Cache-Control: no-store

When a response passes through a cache that has the no-store value the cache
MUST not keep a copy of the entity in the message. Simple as that, no
permanent copy should be found of it anywhere between the origin server and
the browser itself (include the local temporary cache). For buffering
purpose it may appear on disk in a transient file but the file should be
deleted as soon as the cache has passed the entity on.

Pragma: no-cache

Is depracated in HTTP/1.1. It is equivalent to Cache-Control: no-cache. A
client can request that the cache chain between it and the origin server
check to make sure that any entity it intends to send from it's store is up
to date first.

Anthony.

 

[siddharthkhare]

Anthony,
Thanks for the reply.
1)So what happens if you use no-cache with max age of 1 second .....and
no-store on same site together...how does it work...

2)Is it correct that if you use SSL nothing is stored on the browser
caches
as this document states...

So in other words if you use SSL you don't have to worry about caching
security riks on client IE....I think it still caches even if you are
using SSL but this document suggest otherwise..

http://www.mnot.net/cache_docs/

=============================================
Should I worry about security if people access my site through a cache?


SSL pages are not cached (or decrypted) by proxy caches, so you don't
have to worry about that. However, because caches store non-SSL
requests and URLs fetched through them, you should be conscious about
unsecured sites; an unscrupulous administrator could conceivably gather
information about their users, especially in the URL.

In fact, any administrator on the network between your server and your
clients could gather this type of information. One particular problem
is when CGI scripts put usernames and passwords in the URL itself; this
makes it trivial for others to find and user their login.

If you're aware of the issues surrounding Web security in general,
you shouldn't have any surprises from proxy caches.
=============================================

if you have a chance check my message with subject line..
"SSL,IISCache control headers and opening PDF files"

in the same group.
Thanks
Siddharth

 

[siddharthkhare]

I meant .....
Cache-Control: max-age= 1 second....and no-store together

thanks
Siddharth

 

[Anthony Jones]

Anthony,
Thanks for the reply.
1)So what happens if you use no-cache with max age of 1 second .....and
no-store on same site together...how does it work...

Site is irrelevant from the HTTP point of view this URL

http://mysite.com/myfolder/mypage.asp?val=1

and this URL

http://mysite.com/myfolder/mypage.asp?val=2

are entirely different resources and they each can have completely different
headers.

If you are asking what happens if you response to a single URL with both
no-cache and no-store then one would hope a cache implementaion would honor
the no-store over the no-cache but to be sure it wouldn't be wise to send
both in the same response. max-age will be ignored if either of these is
present.

2)Is it correct that if you use SSL nothing is stored on the browser
caches
as this document states...

That's an interesting question. I would doubt that SSL trafffic even passes
through a proxy server, its a low-level encryption scheme that uses a
different IP port. There is no way for anything between the client and
orign server to examine the contents of https messages since only the client
and the origin server have the key necessary to decrypt the messages.

 

[Anthony Jones]

I meant .....
Cache-Control: max-age= 1 second....and no-store together

max-age will be ignored since the entity will not be cached.

 

[Mike Lowery]

Pragma: No-cache has been deprecated in favor of Cache Control.

 

[siddharthkhare]

Anthony,
if I use no-store than there is no need or meaning to using no-cache
....is that right...

To be able to cache pages IE has to store it some where
(TempInternetFiles etc..)....which no-store will not allow...


So in other words they are mutually exclusive.
It doesn't make sense to use both ....Is that right?


What I m trying to do is ..I want to allow caching but only for a short
time like a second...and as soon as that time (1 second in my example)
is over page should dissapear from all caches and all storages..
There should not be any copy in IE cache ,proxy cache etc...

Is there a way to do this? If yes what sholud be my header settings to
accomplish this...

Now why do i need this...because IE need to be abale to cache the
document if you are trying to show a out of process document like
..pdf,.doc.
But if i allow it to sit in IE cache or any other local storage
indefinitly that could be a security risk.

Also you apply headers to a site in IIS ..or atleast that is one of the
places to apply headers.
Every reuest that for a resurce with in that site will have the headers
that you configured at the site level...so I am not sure what you mean
by site is irrelevant?
thanks
Siddharth

 

[Guest]

Anthony,
if I use no-store than there is no need or meaning to using no-cache
.....is that right...

To be able to cache pages IE has to store it some where
(TempInternetFiles etc..)....which no-store will not allow...


So in other words they are mutually exclusive.
It doesn't make sense to use both ....Is that right?


What I m trying to do is ..I want to allow caching but only for a short
time like a second...and as soon as that time (1 second in my example)
is over page should dissapear from all caches and all storages..
There should not be any copy in IE cache ,proxy cache etc...

Is there a way to do this? If yes what sholud be my header settings to
accomplish this...

Now why do i need this...because IE need to be abale to cache the
document if you are trying to show a out of process document like
...pdf,.doc.
But if i allow it to sit in IE cache or any other local storage
indefinitly that could be a security risk.

Also you apply headers to a site in IIS ..or atleast that is one of the
places to apply headers.
Every reuest that for a resurce with in that site will have the headers
that you configured at the site level...so I am not sure what you mean
by site is irrelevant?
thanks
Siddharth

 

[Guest]

this resource here mentions that they (SSL pages)are cached.

http://www.windowsitpro.com/Article/ArticleID/26652/26652.html

===========================================
By default, IE caches all pages, regardless of whether the pages are secure
(e.g., HTTPS pages, which use SSL). If you don't want IE to cache these
secure pages, you can perform the following steps for each user:

Start a registry editor (e.g., regedit.exe).
Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
registry subkey.
From the Edit menu, select New, DWORD Value.
Enter a name of DisableCachingOfSSLPages, then press Enter.
Double-click the new value, set it to 1 to disable caching of SSL pages,
then click OK.
Close the registry editor.
Log off and log on for the change to take effect.




=======================================

 

[Anthony Jones]

Anthony,
if I use no-store than there is no need or meaning to using no-cache
....is that right...

To be able to cache pages IE has to store it some where
(TempInternetFiles etc..)....which no-store will not allow...


So in other words they are mutually exclusive.
It doesn't make sense to use both ....Is that right?

You're right is doesn't make sense.

What I m trying to do is ..I want to allow caching but only for a short
time like a second...and as soon as that time (1 second in my example)
is over page should dissapear from all caches and all storages..
There should not be any copy in IE cache ,proxy cache etc...

Is there a way to do this? If yes what sholud be my header settings to
accomplish this...

There is no way to guarantee when a cache will delete expired content.

Now why do i need this...because IE need to be abale to cache the
document if you are trying to show a out of process document like
..pdf,.doc.
But if i allow it to sit in IE cache or any other local storage
indefinitly that could be a security risk.

Using either no-store will break launching out-of-process consumers of
content.
no-cache can also break things I'm not entirely sure why but I've just tried
it and trying to launch a PDF into an external acrobat (using
content-dispositon: attachment fails with no-cache present.

You could consider using:-

Cache-Control: max-age=1, private

That way the only cache that will hold a copy will be the user private
temporary internet files. However with plenty of free disk space it will sit
in their cache for quite some time.

Also you apply headers to a site in IIS ..or atleast that is one of the
places to apply headers.
Every reuest that for a resurce with in that site will have the headers
that you configured at the site level...so I am not sure what you mean
by site is irrelevant?

At the time I assumed you meant putting no-store on some resources and
no-cache on others. As I pointed out to use both is non-sensical.

 

[Joerg Jooss]

Thus wrote siddhath,

this resource here mentions that they (SSL pages)are cached.

http://www.windowsitpro.com/Article/ArticleID/26652/26652.html

===========================================
By default, IE caches all pages, regardless of whether the pages are
secure
(e.g., HTTPS pages, which use SSL). If you don't want IE to cache
these
secure pages, you can perform the following steps for each user:

Start a registry editor (e.g., regedit.exe). Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings registry subkey. From the Edit menu, select New, DWORD Value.
Enter a name of DisableCachingOfSSLPages, then press Enter.
Double-click the new value, set it to 1 to disable caching of SSL
pages, then click OK. Close the registry editor. Log off and log on
for the change to take effect.

It's a common error to imply that "secure" means "non-cacheable". Both concepts
are completely unrelated.

A caching proxy receives a CONNECT request when a HTTPS connection is created.
This establishes a blind relay from the proxy to the destination host, and
the encrypted payload simply flows through that relay. The proxy knows nothing
of the actual content.

A browser on the other hand has full control over the actual resource since
it's decrypted by that point in time. Thus, a browser may keep a "secured"
resource as long as it sees fit, or honor the resource's Cache-Control headers,
or apply some browser specific behavior.

Cheers,

 

[siddharthkhare]

have you tried with only no store...that may work...
as this lnk sugget ...if you use href to open the document and use only
no-store it may work...

http://support.microsoft.com/default.aspx?kbid=812935

go to the work around section in this link...

let me know if it worked for you.....

I am going to try it here as well.

.....if ths does not work then .......I don't know how you can prevent
the caching of pdf on client machines when you are using SSL.???

Thanks
Siddharth