W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2007

Re: does no-store request invalidate?

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 29 Oct 2007 02:35:38 +0100
To: Werner Baumann <werner.baumann@onlinehome.de>
Cc: ietf-http-wg@w3.org
Message-Id: <1193621738.4150.80.camel@henriknordstrom.net>
IIRC this was discussed before and the conclusion was in itself no-store
do not invalidate. There may be other aspects of the response which
invalidate the cache entry, i.e. a new ETag being returned or
non-indempotent method being used.

Regards
Henrik

On fre, 2007-10-26 at 22:05 +0200, Werner Baumann wrote:
> Scenario:
> A caching proxy that serves not one, but many clients (the most common 
> case).
> 
> Case a)
> 1. Client X requests resource A.
> 2. The proxy gets resource A from the server, stores it in the cache and 
> delivers it to client X.
> 3. Some time later client Y requests resource A. The proxy checks 
> whether the cached entity is up-to-date and serves the cached entity.
> Let's assume the proxy checked well and the entity is up-to-date.
> 
> Case b)
> The same case with client Z, which likes "no-store".
> 1. Client X requests resource A.
> 2. The proxy gets resource A from the server, stores it in the cache and 
> delivers it to client X.
> 3. Client Z requests resource A with "no-store". The proxy serves this 
> request and does *not* change the cached entity A, nor any of the 
> meta-data about resource A.
> 4. Some time later client Y requests resource A.
> What do do?
> 
> Either the cached resource A is Schrödinger's Cat, or the proxy may 
> serve the cached entity just like in case a, and the cached entity is 
> valid. After all, the cached entity in case a and case b are exactly the 
> same.
> 
> If a client does a request with the "no-store"-directive, this request 
> and the response are out of the scope of caching, and MUST NOT influence 
> the cache in any way.
> 
> On the other hand, if the proxy would delete the cached entity, the 
> danger of a denial of service attack is real. This must not be by 
> intention. Anybody may write some HTTP-Client, and may by mistake think 
> it a good idea, to use the "no-store"-directive.
> 
> Werner

Received on Monday, 29 October 2007 01:35:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:23 GMT