473,396 Members | 1,712 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > no-cache vs no-store

Join Bytes to post your question to a community of 473,396 software developers and data experts.

no-cache vs no-store

Hi All,
what is the diference between these two cache control header.

no-cache and no-store.

I have read the w3.org explanation.

So lets say I am using only no-cache ....my understanding is that
nothing is cached and nothing is writen to disk.

but what happens when we use no-store....i think..nothing is written
to disk but it could be cached.
Now my question where is this cache located...is it only in memory
?....if it is written to disk how log is it there and when does it gets
cleaned.

Is no-cache more secure than no-store ..why?

We can assume IIS and IE6.0 SP2 being used.
Thanks
Siddharth

Jun 8 '06 #1
18 9114
non-cache and no-store do not really mean not to cache, it means do not
reuse for a subsequent request.

remember the browser is not the only cache. proxy servers cache, web servers
cache, browsers cache, isps add caching routers. in the proxy server case,
it will fetch the page, but it need to maintain it in the cache until the
client has read all of it (as the client network may be a lot slower then
the proxy). if the proxy is handling 100's of requests at the same time, it
may not have enough memory to store these pages in memory and may not honor
the directive anyway.
see this w3c spec on building cache managers. read section 14.9.2

http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

-- bruce (sqlwork.com)

<si************@hotmail.com> wrote in message
news:11**********************@h76g2000cwa.googlegr oups.com...
Hi All,
what is the diference between these two cache control header.

no-cache and no-store.

I have read the w3.org explanation.

So lets say I am using only no-cache ....my understanding is that
nothing is cached and nothing is writen to disk.

but what happens when we use no-store....i think..nothing is written
to disk but it could be cached.
Now my question where is this cache located...is it only in memory
?....if it is written to disk how log is it there and when does it gets
cleaned.

Is no-cache more secure than no-store ..why?

We can assume IIS and IE6.0 SP2 being used.
Thanks
Siddharth

Jun 8 '06 #2
Bruce,
I understand that caching can happen at various places. But if you set
the caching headers at ISS- Website level than it should apply to all
i.e IE,proxies etc..

thanks for your response but I was tryng to understand what is the
difference between non-cache and no-store?

Also if you look at "no-store" explanation on W3 site...this is what
it says

"The purpose of the no-store directive is to prevent the inadvertent
release or retention of sensitive information (for example, on backup
tapes). "

so my inderstanding was that it will not allow anything pesisted to
IE,proxy etc...I IE case i thought it will be TempInternet files folder
etc.
In other words is it that no-store is doing to achieve prevention of
the inadvertent release or retention of sensitive information?
what is the difference between no-cahe and no-store ?

Thanks
Siddharth

Jun 8 '06 #3
I have found that no-store is what to use if you do not want firefox to
display the original downloaded content. For example I wrote an app that let
people change where boxed in areas of a web site were located. Like Google
Personal or Windows Live. Now if a user moved things around, which would be
saved through AJAX and happened back to a cached/stored version of the page
none of there changes would show up because the request is not being made to
the server. So I always use:

Response.Cache.SetCacheability(HttpCacheability.Se rverAndNoCache);
Response.Cache.SetAllowResponseInBrowserHistory(fa lse);
Response.Cache.SetNoStore();

If I absouletely want the client to have to go to the server for the
request, instead of hitting one of the cached locations.

"si************@hotmail.com" wrote:
Hi All,
what is the diference between these two cache control header.

no-cache and no-store.

I have read the w3.org explanation.

So lets say I am using only no-cache ....my understanding is that
nothing is cached and nothing is writen to disk.

but what happens when we use no-store....i think..nothing is written
to disk but it could be cached.
Now my question where is this cache located...is it only in memory
?....if it is written to disk how log is it there and when does it gets
cleaned.

Is no-cache more secure than no-store ..why?

We can assume IIS and IE6.0 SP2 being used.
Thanks
Siddharth

Jun 8 '06 #4
no-cache - will not save the file to temp internet files like you mentioned.

no-store - will not save the request or the response to and from the server
anywhere, thus forcing the request to be renewed with each visit as I
explained prior. Also I have read it makes it so you cannot use "File > Save"
on a web page.

"si************@hotmail.com" wrote:
Bruce,
I understand that caching can happen at various places. But if you set
the caching headers at ISS- Website level than it should apply to all
i.e IE,proxies etc..

thanks for your response but I was tryng to understand what is the
difference between non-cache and no-store?

Also if you look at "no-store" explanation on W3 site...this is what
it says

"The purpose of the no-store directive is to prevent the inadvertent
release or retention of sensitive information (for example, on backup
tapes). "

so my inderstanding was that it will not allow anything pesisted to
IE,proxy etc...I IE case i thought it will be TempInternet files folder
etc.
In other words is it that no-store is doing to achieve prevention of
the inadvertent release or retention of sensitive information?
what is the difference between no-cahe and no-store ?

Thanks
Siddharth

Jun 8 '06 #5
Thanks Jeremy...

Is it correct to say that no-store is a super set of no-cache.

in other words when you use no-store it will not save anything just
like using no-cache in temp folders etc.. plus restrict other things
like "save as" also.

Thanks
Siddharth

Jun 8 '06 #6
Not Necassarily because if you have caching allowed and no-store set it will
force the user to make a new request, but I believe if that request returns
that there is not a difference between the content that is in your cache it
will let the cache serve it to you.

"si************@hotmail.com" wrote:
Thanks Jeremy...

Is it correct to say that no-store is a super set of no-cache.

in other words when you use no-store it will not save anything just
like using no-cache in temp folders etc.. plus restrict other things
like "save as" also.

Thanks
Siddharth

Jun 8 '06 #7
Thaks Jeremy
what is the difference between "Pragma: No-cache" and "Cache Conrol :
no-cache"

Jun 8 '06 #8

<si************@hotmail.com> wrote in message
news:11**********************@h76g2000cwa.googlegr oups.com...
Hi All,
what is the diference between these two cache control header.

no-cache and no-store.

I have read the w3.org explanation.

So lets say I am using only no-cache ....my understanding is that
nothing is cached and nothing is writen to disk.

but what happens when we use no-store....i think..nothing is written
to disk but it could be cached.
Now my question where is this cache located...is it only in memory
?....if it is written to disk how log is it there and when does it gets
cleaned.

Is no-cache more secure than no-store ..why?

We can assume IIS and IE6.0 SP2 being used.
Thanks
Siddharth


There seems to be considerable confusion in this thread. However the w3
specs are quite clear as to the function of these values.

Cache-Control: no-cache

When an responses passes through a cache and the entity is cachable (has an
ETag or Last-Modified-Date or possible other rules a cache might use) it
will be cached (even with this header present).

When a subsequent request for that entity arrives at the cache ordinarily
the cache may have used various rules ot determine whether it passes on the
request to the original server (or other proxy in the chain) or whether to
supply the cached entity it has. However since the the original response
carried the no-cache directive the cache MUST not supply the cached entity
with out checking back with the original server. It will use a GET with
If-Modified-Since and/or if-no-match headers and may get a 304 response
indicating it can go ahead and use the cached entity.

Cache-Control: no-store

When a response passes through a cache that has the no-store value the cache
MUST not keep a copy of the entity in the message. Simple as that, no
permanent copy should be found of it anywhere between the origin server and
the browser itself (include the local temporary cache). For buffering
purpose it may appear on disk in a transient file but the file should be
deleted as soon as the cache has passed the entity on.

Pragma: no-cache

Is depracated in HTTP/1.1. It is equivalent to Cache-Control: no-cache. A
client can request that the cache chain between it and the origin server
check to make sure that any entity it intends to send from it's store is up
to date first.

Anthony.
Jun 9 '06 #9
Anthony,
Thanks for the reply.
1)So what happens if you use no-cache with max age of 1 second .....and
no-store on same site together...how does it work...

2)Is it correct that if you use SSL nothing is stored on the browser
caches
as this document states...

So in other words if you use SSL you don't have to worry about caching
security riks on client IE....I think it still caches even if you are
using SSL but this document suggest otherwise..

http://www.mnot.net/cache_docs/

=============================================
Should I worry about security if people access my site through a cache?
SSL pages are not cached (or decrypted) by proxy caches, so you don't
have to worry about that. However, because caches store non-SSL
requests and URLs fetched through them, you should be conscious about
unsecured sites; an unscrupulous administrator could conceivably gather
information about their users, especially in the URL.

In fact, any administrator on the network between your server and your
clients could gather this type of information. One particular problem
is when CGI scripts put usernames and passwords in the URL itself; this
makes it trivial for others to find and user their login.

If you're aware of the issues surrounding Web security in general,
you shouldn't have any surprises from proxy caches.
=============================================

if you have a chance check my message with subject line..
"SSL,IISCache control headers and opening PDF files"

in the same group.
Thanks
Siddharth

Jun 9 '06 #10
I meant .....
Cache-Control: max-age= 1 second....and no-store together

thanks
Siddharth

Jun 9 '06 #11

<si************@hotmail.com> wrote in message
news:11**********************@f6g2000cwb.googlegro ups.com...
Anthony,
Thanks for the reply.
1)So what happens if you use no-cache with max age of 1 second .....and
no-store on same site together...how does it work...

Site is irrelevant from the HTTP point of view this URL

http://mysite.com/myfolder/mypage.asp?val=1

and this URL

http://mysite.com/myfolder/mypage.asp?val=2

are entirely different resources and they each can have completely different
headers.

If you are asking what happens if you response to a single URL with both
no-cache and no-store then one would hope a cache implementaion would honor
the no-store over the no-cache but to be sure it wouldn't be wise to send
both in the same response. max-age will be ignored if either of these is
present.

2)Is it correct that if you use SSL nothing is stored on the browser
caches
as this document states...

That's an interesting question. I would doubt that SSL trafffic even passes
through a proxy server, its a low-level encryption scheme that uses a
different IP port. There is no way for anything between the client and
orign server to examine the contents of https messages since only the client
and the origin server have the key necessary to decrypt the messages.

So in other words if you use SSL you don't have to worry about caching
security riks on client IE....I think it still caches even if you are
using SSL but this document suggest otherwise..

http://www.mnot.net/cache_docs/

=============================================
Should I worry about security if people access my site through a cache?
SSL pages are not cached (or decrypted) by proxy caches, so you don't
have to worry about that. However, because caches store non-SSL
requests and URLs fetched through them, you should be conscious about
unsecured sites; an unscrupulous administrator could conceivably gather
information about their users, especially in the URL.

In fact, any administrator on the network between your server and your
clients could gather this type of information. One particular problem
is when CGI scripts put usernames and passwords in the URL itself; this
makes it trivial for others to find and user their login.

If you're aware of the issues surrounding Web security in general,
you shouldn't have any surprises from proxy caches.
=============================================

if you have a chance check my message with subject line..
"SSL,IISCache control headers and opening PDF files"

in the same group.
Thanks
Siddharth

Jun 9 '06 #12

<si************@hotmail.com> wrote in message
news:11**********************@i40g2000cwc.googlegr oups.com...
I meant .....
Cache-Control: max-age= 1 second....and no-store together

max-age will be ignored since the entity will not be cached.
thanks
Siddharth

Jun 9 '06 #13
Anthony,
if I use no-store than there is no need or meaning to using no-cache
....is that right...

To be able to cache pages IE has to store it some where
(TempInternetFiles etc..)....which no-store will not allow...
So in other words they are mutually exclusive.
It doesn't make sense to use both ....Is that right?
What I m trying to do is ..I want to allow caching but only for a short
time like a second...and as soon as that time (1 second in my example)
is over page should dissapear from all caches and all storages..
There should not be any copy in IE cache ,proxy cache etc...

Is there a way to do this? If yes what sholud be my header settings to
accomplish this...

Now why do i need this...because IE need to be abale to cache the
document if you are trying to show a out of process document like
..pdf,.doc.
But if i allow it to sit in IE cache or any other local storage
indefinitly that could be a security risk.

Also you apply headers to a site in IIS ..or atleast that is one of the
places to apply headers.
Every reuest that for a resurce with in that site will have the headers
that you configured at the site level...so I am not sure what you mean
by site is irrelevant?
thanks
Siddharth

Jun 9 '06 #14
Pragma: No-cache has been deprecated in favor of Cache Control.

<si************@hotmail.com> wrote in message
news:11*********************@h76g2000cwa.googlegro ups.com...
Thaks Jeremy
what is the difference between "Pragma: No-cache" and "Cache Conrol :
no-cache"

Jun 9 '06 #15
Anthony,
if I use no-store than there is no need or meaning to using no-cache
.....is that right...

To be able to cache pages IE has to store it some where
(TempInternetFiles etc..)....which no-store will not allow...
So in other words they are mutually exclusive.
It doesn't make sense to use both ....Is that right?
What I m trying to do is ..I want to allow caching but only for a short
time like a second...and as soon as that time (1 second in my example)
is over page should dissapear from all caches and all storages..
There should not be any copy in IE cache ,proxy cache etc...

Is there a way to do this? If yes what sholud be my header settings to
accomplish this...

Now why do i need this...because IE need to be abale to cache the
document if you are trying to show a out of process document like
...pdf,.doc.
But if i allow it to sit in IE cache or any other local storage
indefinitly that could be a security risk.

Also you apply headers to a site in IIS ..or atleast that is one of the
places to apply headers.
Every reuest that for a resurce with in that site will have the headers
that you configured at the site level...so I am not sure what you mean
by site is irrelevant?
thanks
Siddharth

Jun 9 '06 #16
this resource here mentions that they (SSL pages)are cached.

http://www.windowsitpro.com/Article/...652/26652.html

===========================================
By default, IE caches all pages, regardless of whether the pages are secure
(e.g., HTTPS pages, which use SSL). If you don't want IE to cache these
secure pages, you can perform the following steps for each user:

Start a registry editor (e.g., regedit.exe).
Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings
registry subkey.
From the Edit menu, select New, DWORD Value.
Enter a name of DisableCachingOfSSLPages, then press Enter.
Double-click the new value, set it to 1 to disable caching of SSL pages,
then click OK.
Close the registry editor.
Log off and log on for the change to take effect.


=======================================
Jun 9 '06 #17

"siddhath" <si******@discussions.microsoft.com> wrote in message
news:9B**********************************@microsof t.com...
Anthony,
if I use no-store than there is no need or meaning to using no-cache
....is that right...

To be able to cache pages IE has to store it some where
(TempInternetFiles etc..)....which no-store will not allow...
So in other words they are mutually exclusive.
It doesn't make sense to use both ....Is that right?

You're right is doesn't make sense.

What I m trying to do is ..I want to allow caching but only for a short
time like a second...and as soon as that time (1 second in my example)
is over page should dissapear from all caches and all storages..
There should not be any copy in IE cache ,proxy cache etc...

Is there a way to do this? If yes what sholud be my header settings to
accomplish this...

There is no way to guarantee when a cache will delete expired content.
Now why do i need this...because IE need to be abale to cache the
document if you are trying to show a out of process document like
..pdf,.doc.
But if i allow it to sit in IE cache or any other local storage
indefinitly that could be a security risk.

Using either no-store will break launching out-of-process consumers of
content.
no-cache can also break things I'm not entirely sure why but I've just tried
it and trying to launch a PDF into an external acrobat (using
content-dispositon: attachment;) fails with no-cache present.

You could consider using:-

Cache-Control: max-age=1, private

That way the only cache that will hold a copy will be the user private
temporary internet files. However with plenty of free disk space it will sit
in their cache for quite some time.

Also you apply headers to a site in IIS ..or atleast that is one of the
places to apply headers.
Every reuest that for a resurce with in that site will have the headers
that you configured at the site level...so I am not sure what you mean
by site is irrelevant?
At the time I assumed you meant putting no-store on some resources and
no-cache on others. As I pointed out to use both is non-sensical.
thanks
Siddharth

Jun 9 '06 #18
have you tried with only no store...that may work...
as this lnk sugget ...if you use href to open the document and use only
no-store it may work...

http://support.microsoft.com/default.aspx?kbid=812935

go to the work around section in this link...

let me know if it worked for you.....

I am going to try it here as well.

.....if ths does not work then .......I don't know how you can prevent
the caching of pdf on client machines when you are using SSL.???

Thanks
Siddharth

Jun 12 '06 #19
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

19
Session_Start() Doesn't Work
by: Chris Allen | last post by:
Hi I'm new to PHP and I'm trying to create a Login Form. Once the user has logged in then he shouldn't have to log in again. The trouble is I'm getting a new session ID between every page and so...
PHP
0
Move BLOB partitions to a different tablespace
by: sandeep G | last post by:
I've a table which has a number & a blob column, both of which are NOT NULL type. This table is composite partitioned using range & hash on the same column. Each partition is sub partitioned into...
Oracle Database
7
Prevent "Back" Buttom in Browser
by: George | last post by:
I am trying to set up a login-logout website. I have a cookie about the login status. I put it as logout once the logout link is clicked. And I put a little security check about the status of...
ASP / Active Server Pages
2
Setting NoCache causes IE/Powerpoint to fail to open
by: Jonathan Trevor | last post by:
Hi, For the last couple of releases of a product we're developing we've been running to very wierd behavior from IE and our ASP.NET web application which serves up various types of files and I'm...
ASP.NET
14
Cache feature doesn't produce expected result (bug?)
by: Tom.PesterDELETETHISSS | last post by:
Hi, I think this question requires an in depth understanding of how a browser cache works. I hope I can reach an expert here. I may have found a quirk in the asp.net documentation or I don't...
ASP.NET
3
caching
by: Vikas Kumar | last post by:
Hi am using usercontrols in my application like header and footer and some other i want to do cashing on them how will i do that i mean will i have to write <%5@outputcache...... on my user...
ASP.NET
7
need help in C#.net.
by: toubuddy | last post by:
dear how do we disable the back and forward button on internet explorer.
.NET Framework
22
count down timer - JavaScript inside Ajax not working
by: canabatz | last post by:
Hi all! i got a countdown timer for auctions that runing. i got a DIV that refreshs every 4 seconds that DIV is refreshed by ajax ,the file that is refreshed is timer.php for example!! my...
Javascript
9
i got my code working ,i want to know if i did it the right way :)
by: canabatz | last post by:
i am not sure if this is the right way to use this AJAX script i did! i want to know i f it will be compatible with IE 6 also!! function getXMLHttp() { var xmlHttp; try { ...
Javascript
9
what will this do?
by: techuse | last post by:
document.getElementById('util_overview').innerHTML = "";
Javascript
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!