Proper If-Modified-Since handling that works with Firefox
Finally, I managed to write an If-Modified-Since
handling that also works with Firefox.
The scenario I had to deal with looks like the following: there is a web site whose content can be changed by a few users. Those users can log in to the page to edit it. The fact whether they are logged in or not is saved in a cookie (using PHP sessions), you cannot determine from a URL if a user is logged in or not. Without the possibility to log in, the handling of If-Modified-Since
headers is easy: you send a Last-Modified
header (in my case, the modification time is easy to find out) and if this time is greater or equal to an existing If-Modified-Since
header, you send the 304 Not Modified
status without any content. To comply with the standard, we want to handle If-Unmodified-Since
headers as well. For those, the same rules apply, if the modifiction time is greater or equal to an existing If-Unmodified-Since
header, the 412 Precondition Failed
status is sent.
Things look a bit more complicated when you want to implement the login mechanism that I have described above. One problem, of course, is that the page itself has not been modified when the user logs in, so the browser will use the version from the cache and the user will not see that he is logged in, so he cannot edit the page. This one is fixed by sending the current time as Last-Modified
as long as the user is logged in. So the browser has to reload the page every time.
The second problem you will face is that Firefox usually uses the version from the cache without checking if it has changed, even when you send Cache-Control: must-revalidate
. (By the way, I also send Pragma: must-revalidate
to overwrite any rubbish that PHP sends during session_start()
.) This is easily fixed by sending Expires: 0
. Now Firefox reloads the page every time and only uses the version from the cache if it receives a 304
.
Let’s assume that the user does not change anything and logs out. Now, it seems to him that he is still logged in because the brower sends the last Last-Modified
time it received as If-Modified-Since
. The page has not been modified since then, so the version from the cache, where the user is logged in, will be used. At first, I tried to change this behaviour by sending a Cache-control: no-cache
header. You have to pay attention with this, as this only tells the browser not to load a cached page, but it still saves it (at least Firefox, I don’t know if this is the correct behaviour). So the next time the browser requests the page, it will send a If-Modified-Since
header with this newer cached page. To avoid this, also send the no-store
Cache-Control
header. (I send Cache-Control: no-cache,no-store
as well as Pragma: no-cache,no-store
.)
So, as a summary, send Cache-Control: no-cache,no-store
as well as the current time as Last-Modified
header as long as the user is logged in. Send Cache-Control: must-revalidate
and Expires: 0
as long as he isn’t.
Filed under bugs