This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit e666c65b7cb210bfeffb35884001775dc08fd3aa
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Mar 27 10:05:37 2020 +0100
Improved: Improve Web Content Caching
(OFBIZ-11477)
According to OWASP OFBiz Web Content Caching is weak:
Independently of the cache policy defined by the web application, if
caching web
application contents is allowed, the session IDs must never be cached, so
it is
highly recommended to use the Cache-Control: no-cache="Set-Cookie,
Set-Cookie2"
directive, to allow web clients to cache everything except the session ID
I though noticed that Set-Cookie2 is deprecated for a long time now. And we
new
browsers policies it to often updated. So no need to use Set-Cookie2.
---
.../src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index d24f2b2..b18fa8d 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -991,6 +991,8 @@ public class RequestHandler {
if (viewNoCache) {
UtilHttp.setResponseBrowserProxyNoCache(resp);
if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers
for view [" + nextPage + "]", module);
+ } else {
+ resp.setHeader("Cache-Control", "Set-Cookie");
}
//Security Headers
