no-cache vs no-store

Discussion in 'ASP General' started by siddharthkhare@hotmail.com, Jun 8, 2006.

  1. Guest

    Hi All,
    what is the diference between these two cache control header.

    no-cache and no-store.

    I have read the w3.org explanation.

    So lets say I am using only no-cache ....my understanding is that
    nothing is cached and nothing is writen to disk.

    but what happens when we use no-store....i think..nothing is written
    to disk but it could be cached.
    Now my question where is this cache located...is it only in memory
    ?....if it is written to disk how log is it there and when does it gets
    cleaned.

    Is no-cache more secure than no-store ..why?

    We can assume IIS and IE6.0 SP2 being used.
    Thanks
    Siddharth
    , Jun 8, 2006
    #1
    1. Advertising

  2. non-cache and no-store do not really mean not to cache, it means do not
    reuse for a subsequent request.

    remember the browser is not the only cache. proxy servers cache, web servers
    cache, browsers cache, isps add caching routers. in the proxy server case,
    it will fetch the page, but it need to maintain it in the cache until the
    client has read all of it (as the client network may be a lot slower then
    the proxy). if the proxy is handling 100's of requests at the same time, it
    may not have enough memory to store these pages in memory and may not honor
    the directive anyway.


    see this w3c spec on building cache managers. read section 14.9.2

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

    -- bruce (sqlwork.com)

    <> wrote in message
    news:...
    > Hi All,
    > what is the diference between these two cache control header.
    >
    > no-cache and no-store.
    >
    > I have read the w3.org explanation.
    >
    > So lets say I am using only no-cache ....my understanding is that
    > nothing is cached and nothing is writen to disk.
    >
    > but what happens when we use no-store....i think..nothing is written
    > to disk but it could be cached.
    > Now my question where is this cache located...is it only in memory
    > ?....if it is written to disk how log is it there and when does it gets
    > cleaned.
    >
    > Is no-cache more secure than no-store ..why?
    >
    > We can assume IIS and IE6.0 SP2 being used.
    > Thanks
    > Siddharth
    >
    bruce barker \(sqlwork.com\), Jun 8, 2006
    #2
    1. Advertising

  3. Guest

    Bruce,
    I understand that caching can happen at various places. But if you set
    the caching headers at ISS- Website level than it should apply to all
    i.e IE,proxies etc..

    thanks for your response but I was tryng to understand what is the
    difference between non-cache and no-store?

    Also if you look at "no-store" explanation on W3 site...this is what
    it says

    "The purpose of the no-store directive is to prevent the inadvertent
    release or retention of sensitive information (for example, on backup
    tapes). "

    so my inderstanding was that it will not allow anything pesisted to
    IE,proxy etc...I IE case i thought it will be TempInternet files folder
    etc.


    In other words is it that no-store is doing to achieve prevention of
    the inadvertent release or retention of sensitive information?
    what is the difference between no-cahe and no-store ?

    Thanks
    Siddharth
    , Jun 8, 2006
    #3
  4. Jeremy Guest

    I have found that no-store is what to use if you do not want firefox to
    display the original downloaded content. For example I wrote an app that let
    people change where boxed in areas of a web site were located. Like Google
    Personal or Windows Live. Now if a user moved things around, which would be
    saved through AJAX and happened back to a cached/stored version of the page
    none of there changes would show up because the request is not being made to
    the server. So I always use:

    Response.Cache.SetCacheability(HttpCacheability.ServerAndNoCache);
    Response.Cache.SetAllowResponseInBrowserHistory(false);
    Response.Cache.SetNoStore();

    If I absouletely want the client to have to go to the server for the
    request, instead of hitting one of the cached locations.

    "" wrote:

    > Hi All,
    > what is the diference between these two cache control header.
    >
    > no-cache and no-store.
    >
    > I have read the w3.org explanation.
    >
    > So lets say I am using only no-cache ....my understanding is that
    > nothing is cached and nothing is writen to disk.
    >
    > but what happens when we use no-store....i think..nothing is written
    > to disk but it could be cached.
    > Now my question where is this cache located...is it only in memory
    > ?....if it is written to disk how log is it there and when does it gets
    > cleaned.
    >
    > Is no-cache more secure than no-store ..why?
    >
    > We can assume IIS and IE6.0 SP2 being used.
    > Thanks
    > Siddharth
    >
    >
    Jeremy, Jun 8, 2006
    #4
  5. Jeremy Guest

    no-cache - will not save the file to temp internet files like you mentioned.

    no-store - will not save the request or the response to and from the server
    anywhere, thus forcing the request to be renewed with each visit as I
    explained prior. Also I have read it makes it so you cannot use "File > Save"
    on a web page.

    "" wrote:

    > Bruce,
    > I understand that caching can happen at various places. But if you set
    > the caching headers at ISS- Website level than it should apply to all
    > i.e IE,proxies etc..
    >
    > thanks for your response but I was tryng to understand what is the
    > difference between non-cache and no-store?
    >
    > Also if you look at "no-store" explanation on W3 site...this is what
    > it says
    >
    > "The purpose of the no-store directive is to prevent the inadvertent
    > release or retention of sensitive information (for example, on backup
    > tapes). "
    >
    > so my inderstanding was that it will not allow anything pesisted to
    > IE,proxy etc...I IE case i thought it will be TempInternet files folder
    > etc.
    >
    >
    > In other words is it that no-store is doing to achieve prevention of
    > the inadvertent release or retention of sensitive information?
    > what is the difference between no-cahe and no-store ?
    >
    > Thanks
    > Siddharth
    >
    >
    Jeremy, Jun 8, 2006
    #5
  6. Guest

    Thanks Jeremy...

    Is it correct to say that no-store is a super set of no-cache.

    in other words when you use no-store it will not save anything just
    like using no-cache in temp folders etc.. plus restrict other things
    like "save as" also.

    Thanks
    Siddharth
    , Jun 8, 2006
    #6
  7. Jeremy Guest

    Not Necassarily because if you have caching allowed and no-store set it will
    force the user to make a new request, but I believe if that request returns
    that there is not a difference between the content that is in your cache it
    will let the cache serve it to you.

    "" wrote:

    > Thanks Jeremy...
    >
    > Is it correct to say that no-store is a super set of no-cache.
    >
    > in other words when you use no-store it will not save anything just
    > like using no-cache in temp folders etc.. plus restrict other things
    > like "save as" also.
    >
    > Thanks
    > Siddharth
    >
    >
    Jeremy, Jun 8, 2006
    #7
  8. Guest

    Thaks Jeremy
    what is the difference between "Pragma: No-cache" and "Cache Conrol :
    no-cache"
    , Jun 8, 2006
    #8
  9. <> wrote in message
    news:...
    > Hi All,
    > what is the diference between these two cache control header.
    >
    > no-cache and no-store.
    >
    > I have read the w3.org explanation.
    >
    > So lets say I am using only no-cache ....my understanding is that
    > nothing is cached and nothing is writen to disk.
    >
    > but what happens when we use no-store....i think..nothing is written
    > to disk but it could be cached.
    > Now my question where is this cache located...is it only in memory
    > ?....if it is written to disk how log is it there and when does it gets
    > cleaned.
    >
    > Is no-cache more secure than no-store ..why?
    >
    > We can assume IIS and IE6.0 SP2 being used.
    > Thanks
    > Siddharth
    >


    There seems to be considerable confusion in this thread. However the w3
    specs are quite clear as to the function of these values.

    Cache-Control: no-cache

    When an responses passes through a cache and the entity is cachable (has an
    ETag or Last-Modified-Date or possible other rules a cache might use) it
    will be cached (even with this header present).

    When a subsequent request for that entity arrives at the cache ordinarily
    the cache may have used various rules ot determine whether it passes on the
    request to the original server (or other proxy in the chain) or whether to
    supply the cached entity it has. However since the the original response
    carried the no-cache directive the cache MUST not supply the cached entity
    with out checking back with the original server. It will use a GET with
    If-Modified-Since and/or if-no-match headers and may get a 304 response
    indicating it can go ahead and use the cached entity.

    Cache-Control: no-store

    When a response passes through a cache that has the no-store value the cache
    MUST not keep a copy of the entity in the message. Simple as that, no
    permanent copy should be found of it anywhere between the origin server and
    the browser itself (include the local temporary cache). For buffering
    purpose it may appear on disk in a transient file but the file should be
    deleted as soon as the cache has passed the entity on.

    Pragma: no-cache

    Is depracated in HTTP/1.1. It is equivalent to Cache-Control: no-cache. A
    client can request that the cache chain between it and the origin server
    check to make sure that any entity it intends to send from it's store is up
    to date first.

    Anthony.
    Anthony Jones, Jun 9, 2006
    #9
  10. Guest

    Anthony,
    Thanks for the reply.
    1)So what happens if you use no-cache with max age of 1 second .....and
    no-store on same site together...how does it work...

    2)Is it correct that if you use SSL nothing is stored on the browser
    caches
    as this document states...

    So in other words if you use SSL you don't have to worry about caching
    security riks on client IE....I think it still caches even if you are
    using SSL but this document suggest otherwise..

    http://www.mnot.net/cache_docs/

    =============================================
    Should I worry about security if people access my site through a cache?


    SSL pages are not cached (or decrypted) by proxy caches, so you don't
    have to worry about that. However, because caches store non-SSL
    requests and URLs fetched through them, you should be conscious about
    unsecured sites; an unscrupulous administrator could conceivably gather
    information about their users, especially in the URL.

    In fact, any administrator on the network between your server and your
    clients could gather this type of information. One particular problem
    is when CGI scripts put usernames and passwords in the URL itself; this
    makes it trivial for others to find and user their login.

    If you're aware of the issues surrounding Web security in general,
    you shouldn't have any surprises from proxy caches.
    =============================================

    if you have a chance check my message with subject line..
    "SSL,IISCache control headers and opening PDF files"

    in the same group.
    Thanks
    Siddharth
    , Jun 9, 2006
    #10
  11. Guest

    I meant .....
    Cache-Control: max-age= 1 second....and no-store together

    thanks
    Siddharth
    , Jun 9, 2006
    #11
  12. <> wrote in message
    news:...
    > Anthony,
    > Thanks for the reply.
    > 1)So what happens if you use no-cache with max age of 1 second .....and
    > no-store on same site together...how does it work...
    >


    Site is irrelevant from the HTTP point of view this URL

    http://mysite.com/myfolder/mypage.asp?val=1

    and this URL

    http://mysite.com/myfolder/mypage.asp?val=2

    are entirely different resources and they each can have completely different
    headers.

    If you are asking what happens if you response to a single URL with both
    no-cache and no-store then one would hope a cache implementaion would honor
    the no-store over the no-cache but to be sure it wouldn't be wise to send
    both in the same response. max-age will be ignored if either of these is
    present.


    > 2)Is it correct that if you use SSL nothing is stored on the browser
    > caches
    > as this document states...
    >


    That's an interesting question. I would doubt that SSL trafffic even passes
    through a proxy server, its a low-level encryption scheme that uses a
    different IP port. There is no way for anything between the client and
    orign server to examine the contents of https messages since only the client
    and the origin server have the key necessary to decrypt the messages.


    > So in other words if you use SSL you don't have to worry about caching
    > security riks on client IE....I think it still caches even if you are
    > using SSL but this document suggest otherwise..
    >
    > http://www.mnot.net/cache_docs/
    >
    > =============================================
    > Should I worry about security if people access my site through a cache?
    >
    >
    > SSL pages are not cached (or decrypted) by proxy caches, so you don't
    > have to worry about that. However, because caches store non-SSL
    > requests and URLs fetched through them, you should be conscious about
    > unsecured sites; an unscrupulous administrator could conceivably gather
    > information about their users, especially in the URL.
    >
    > In fact, any administrator on the network between your server and your
    > clients could gather this type of information. One particular problem
    > is when CGI scripts put usernames and passwords in the URL itself; this
    > makes it trivial for others to find and user their login.
    >
    > If you're aware of the issues surrounding Web security in general,
    > you shouldn't have any surprises from proxy caches.
    > =============================================
    >
    > if you have a chance check my message with subject line..
    > "SSL,IISCache control headers and opening PDF files"
    >
    > in the same group.
    > Thanks
    > Siddharth
    >
    Anthony Jones, Jun 9, 2006
    #12
  13. <> wrote in message
    news:...
    > I meant .....
    > Cache-Control: max-age= 1 second....and no-store together
    >


    max-age will be ignored since the entity will not be cached.

    > thanks
    > Siddharth
    >
    Anthony Jones, Jun 9, 2006
    #13
  14. Mike Lowery Guest

    Pragma: No-cache has been deprecated in favor of Cache Control.

    <> wrote in message
    news:...
    > Thaks Jeremy
    > what is the difference between "Pragma: No-cache" and "Cache Conrol :
    > no-cache"
    >
    Mike Lowery, Jun 9, 2006
    #14
  15. Guest

    Anthony,
    if I use no-store than there is no need or meaning to using no-cache
    ....is that right...

    To be able to cache pages IE has to store it some where
    (TempInternetFiles etc..)....which no-store will not allow...


    So in other words they are mutually exclusive.
    It doesn't make sense to use both ....Is that right?


    What I m trying to do is ..I want to allow caching but only for a short
    time like a second...and as soon as that time (1 second in my example)
    is over page should dissapear from all caches and all storages..
    There should not be any copy in IE cache ,proxy cache etc...

    Is there a way to do this? If yes what sholud be my header settings to
    accomplish this...

    Now why do i need this...because IE need to be abale to cache the
    document if you are trying to show a out of process document like
    ..pdf,.doc.
    But if i allow it to sit in IE cache or any other local storage
    indefinitly that could be a security risk.

    Also you apply headers to a site in IIS ..or atleast that is one of the
    places to apply headers.
    Every reuest that for a resurce with in that site will have the headers
    that you configured at the site level...so I am not sure what you mean
    by site is irrelevant?
    thanks
    Siddharth
    , Jun 9, 2006
    #15
  16. siddhath Guest

    Anthony,
    if I use no-store than there is no need or meaning to using no-cache
    .....is that right...

    To be able to cache pages IE has to store it some where
    (TempInternetFiles etc..)....which no-store will not allow...


    So in other words they are mutually exclusive.
    It doesn't make sense to use both ....Is that right?


    What I m trying to do is ..I want to allow caching but only for a short
    time like a second...and as soon as that time (1 second in my example)
    is over page should dissapear from all caches and all storages..
    There should not be any copy in IE cache ,proxy cache etc...

    Is there a way to do this? If yes what sholud be my header settings to
    accomplish this...

    Now why do i need this...because IE need to be abale to cache the
    document if you are trying to show a out of process document like
    ...pdf,.doc.
    But if i allow it to sit in IE cache or any other local storage
    indefinitly that could be a security risk.

    Also you apply headers to a site in IIS ..or atleast that is one of the
    places to apply headers.
    Every reuest that for a resurce with in that site will have the headers
    that you configured at the site level...so I am not sure what you mean
    by site is irrelevant?
    thanks
    Siddharth
    siddhath, Jun 9, 2006
    #16
  17. siddhath Guest

    this resource here mentions that they (SSL pages)are cached.

    http://www.windowsitpro.com/Article/ArticleID/26652/26652.html

    ===========================================
    By default, IE caches all pages, regardless of whether the pages are secure
    (e.g., HTTPS pages, which use SSL). If you don't want IE to cache these
    secure pages, you can perform the following steps for each user:

    Start a registry editor (e.g., regedit.exe).
    Navigate to the
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    registry subkey.
    From the Edit menu, select New, DWORD Value.
    Enter a name of DisableCachingOfSSLPages, then press Enter.
    Double-click the new value, set it to 1 to disable caching of SSL pages,
    then click OK.
    Close the registry editor.
    Log off and log on for the change to take effect.




    =======================================
    siddhath, Jun 9, 2006
    #17
  18. "siddhath" <> wrote in message
    news:...
    > Anthony,
    > if I use no-store than there is no need or meaning to using no-cache
    > ....is that right...
    >
    > To be able to cache pages IE has to store it some where
    > (TempInternetFiles etc..)....which no-store will not allow...
    >
    >
    > So in other words they are mutually exclusive.
    > It doesn't make sense to use both ....Is that right?
    >


    You're right is doesn't make sense.

    >
    > What I m trying to do is ..I want to allow caching but only for a short
    > time like a second...and as soon as that time (1 second in my example)
    > is over page should dissapear from all caches and all storages..
    > There should not be any copy in IE cache ,proxy cache etc...
    >
    > Is there a way to do this? If yes what sholud be my header settings to
    > accomplish this...
    >


    There is no way to guarantee when a cache will delete expired content.

    > Now why do i need this...because IE need to be abale to cache the
    > document if you are trying to show a out of process document like
    > ..pdf,.doc.
    > But if i allow it to sit in IE cache or any other local storage
    > indefinitly that could be a security risk.
    >


    Using either no-store will break launching out-of-process consumers of
    content.
    no-cache can also break things I'm not entirely sure why but I've just tried
    it and trying to launch a PDF into an external acrobat (using
    content-dispositon: attachment;) fails with no-cache present.

    You could consider using:-

    Cache-Control: max-age=1, private

    That way the only cache that will hold a copy will be the user private
    temporary internet files. However with plenty of free disk space it will sit
    in their cache for quite some time.


    > Also you apply headers to a site in IIS ..or atleast that is one of the
    > places to apply headers.
    > Every reuest that for a resurce with in that site will have the headers
    > that you configured at the site level...so I am not sure what you mean
    > by site is irrelevant?


    At the time I assumed you meant putting no-store on some resources and
    no-cache on others. As I pointed out to use both is non-sensical.

    > thanks
    > Siddharth
    >
    Anthony Jones, Jun 9, 2006
    #18
  19. Guest

    have you tried with only no store...that may work...
    as this lnk sugget ...if you use href to open the document and use only
    no-store it may work...

    http://support.microsoft.com/default.aspx?kbid=812935

    go to the work around section in this link...

    let me know if it worked for you.....

    I am going to try it here as well.

    .....if ths does not work then .......I don't know how you can prevent
    the caching of pdf on client machines when you are using SSL.???

    Thanks
    Siddharth
    , Jun 12, 2006
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. NWx
    Replies:
    2
    Views:
    364
  2. =?Utf-8?B?UnVkeQ==?=

    to store or not to store an image

    =?Utf-8?B?UnVkeQ==?=, Mar 29, 2005, in forum: ASP .Net
    Replies:
    6
    Views:
    620
    =?Utf-8?B?UnVkeQ==?=
    Mar 30, 2005
  3. Alexander Widera

    store custom control in cache

    Alexander Widera, Mar 15, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    355
    Alexander Widera
    Mar 17, 2006
  4. Dst

    Store cookies in browser cache

    Dst, May 23, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    576
  5. no-cache vs no-store

    , Jun 8, 2006, in forum: ASP .Net
    Replies:
    19
    Views:
    16,557
Loading...

Share This Page