Pages: 1

#1 2016-08-11 17:20:38

ag
Member
From: USA
Registered: 2016-08-11
Posts: 3

Cache-Control for Auth

Hi,

The method Auth in TSQLRestServerAuthenticationDefault appears to specify no "Cache-Control" response headers when it replies with the server nonce in response to the first request [having just the username].
This leads to the browser caching the result and the issue is/would be after the 5 minutes passes and the server nonce that the browser thus cached becomes invalid. This would become a practical issue on re-authentication attempt - e.g. after a period of inactivity. The browser does not send the request to the web server and the client application is left with the old server nonce.

Any thoughts on improving this? (I do realize I could override the Auth method in a descendant class but maybe there is a better existing solution in mORMot)
Or is there some functionality in mORMot to influence the response headers and the "Cache-Control" header in particular?

Thank you.
Alex

Offline

#2 2016-08-11 19:38:12

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,544
Website

Re: Cache-Control for Auth

Try to use a post request from browser. As far as I remember implementation does not check http verb in this method.

Offline

#3 2016-08-11 20:09:40

ag
Member
From: USA
Registered: 2016-08-11
Posts: 3

Re: Cache-Control for Auth

Yes, this is true for POST requests.
For some reason I thought that using GET specifically for authentication requests is expected by mORMot but it seems to be working with POST too, at least for the first one.
Thanks.

Offline

#4 2016-08-12 07:07:21

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,544
Website

Re: Cache-Control for Auth

@ag in which browsers GET request caching is appears? Last chrome/firefox/EDGE do not cache the response in case cache directives not explicitly specified in the headers...

Last edited by mpv (2016-08-12 07:07:48)

Offline

#5 2016-08-12 17:03:55

ag
Member
From: USA
Registered: 2016-08-11
Posts: 3

Re: Cache-Control for Auth

I noticed the GET request caching in IE - I think IE11.
EWB uses IE in its IDE but I am not sure if the ActiveX IE version it might be using is older than the IE version 11 I see when I launch IE itself.

To be clear - after I switched the first authentication request to POST the issue is no longer occurring.
Thanks again for your advice.
And many thanks to AB for the great framework!

Offline

Pages: 1

Board footer

Powered by FluxBB