Squid does not cache pages that are HTTP authenticated, unless a
Cache-Control: public header is returned with the response (the web site
would have to do this specifically). If they're using another authentication
mechanism, it's perfectly possible the pages are being cached, albiet
unlikely (they'd have to generate validators, Expires times or similar for
the objects as they're served).
This assumes Squid 2.x; Squid 1.x behaves in a similar manner, AFAIK, except
I don't know offhand whether it will honor a Cache-Control: public
directive.
A much more likely explanation is that someone had used the browser to
access the site in the same session.
Regards,
> I works for a small IT news service. A large portion of our
> articles are in
> directories protected using basic authentication. Recently, one of our
> sales people was demoing our service and found that the
> person to whom they
> were demoing could read the articles within the protected
> directories -
> without having to enter a password.
>
> After I checked and could find no accesses from the company
> (and indeed the
> continent in question) during the time when the demo was
> taking place, I
> asked if there was a cache in use. They told me that SQUID
> was being used.
>
> Am I correct in thinking that SQUID has cached the page from
> an earlier
> access by someone who does have a password, or am I barking
> up the wrong
> tree here?
>
> - Si
>
Received on Wed Feb 10 1999 - 15:36:57 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:30 MST