OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Preventing Caching

Mark Nottingham provided a pointer to his web page on HTTP caching.

http://www.mnot.net/cache_docs/

Naturally it is intended to deal primarily with the most common case of Browser to Server HTML content using HTTP GET Req/Resp.

1. Note that only responses are cached.
2. SSL/TLS traffic is not cached.
3. Traffic with auth headers or cookies are usually not cached.
4. Post responses are not cached.

For these reasons, a SOAP message sent over HTTP with a POST method is unlikely to be cached even if no special steps are taken to supress caching. Obviously a SAML Assertion carried in a POST message will never be cached.

On the principle of using belt and suspenders, SAML nodes SHOULD do the following:

Clients:

HTTP Headers - Cache-Control: no-cache, no-store
HTML Pragma - no-cache

Servers:

HTTP Headers - No validator on the response (Last-Modified or ETag header)
             - Cache-Control: no-cache, no-store, must-revalidate, private
HTML Pragma - no-cache

Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]