Proper If-Modified-Since handling that works with Firefox
Finally, I managed to write an If-Modified-Since handling that also works with Firefox.
The scenario I had to deal with looks like the following: there is a web site whose content can be changed by a few users. Those users can log in to the page to edit it. The fact whether they are logged in or not is saved in a cookie (using PHP sessions), you cannot determine from a URL if a user is logged in or not. Without the possibility to log in, the handling of If-Modified-Since headers is easy: you send a Last-Modified header (in my case, the modification time is easy to find out) and if this time is greater or equal to an existing If-Modified-Since header, you send the 304 Not Modified status without any content. To comply with the standard, we want to handle If-Unmodified-Since headers as well. For those, the same rules apply, if the modifiction time is greater or equal to an existing If-Unmodified-Since header, the 412 Precondition Failed status is sent.
Things look a bit more complicated when you want to implement the login mechanism that I have described above. One problem, of course, is that the page itself has not been modified when the user logs in, so the browser will use the version from the cache and the user will not see that he is logged in, so he cannot edit the page. This one is fixed by sending the current time as Last-Modified as long as the user is logged in. So the browser has to reload the page every time.
The second problem you will face is that Firefox usually uses the version from the cache without checking if it has changed, even when you send Cache-Control: must-revalidate. (By the way, I also send Pragma: must-revalidate to overwrite any rubbish that PHP sends during session_start().) This is easily fixed by sending Expires: 0. Now Firefox reloads the page every time and only uses the version from the cache if it receives a 304.
Let’s assume that the user does not change anything and logs out. Now, it seems to him that he is still logged in because the brower sends the last Last-Modified time it received as If-Modified-Since. The page has not been modified since then, so the version from the cache, where the user is logged in, will be used. At first, I tried to change this behaviour by sending a Cache-control: no-cache header. You have to pay attention with this, as this only tells the browser not to load a cached page, but it still saves it (at least Firefox, I don’t know if this is the correct behaviour). So the next time the browser requests the page, it will send a If-Modified-Since header with this newer cached page. To avoid this, also send the no-store Cache-Control header. (I send Cache-Control: no-cache,no-store as well as Pragma: no-cache,no-store.)
So, as a summary, send Cache-Control: no-cache,no-store as well as the current time as Last-Modified header as long as the user is logged in. Send Cache-Control: must-revalidate and Expires: 0 as long as he isn’t.
Filed under bugs