Bug in My Little Forum (Bugs)

by danielb987, Wednesday, April 12, 2017, 03:21 (1655 days ago) @ Auge


I found a nice article about the possible values of the caching header from the year 2008 on archive.org.

Very interesting article. It has given me new insight about how the cache works.

My Little Forum uses the header: Cache-Control: public, max-age=300

This header allows cache and that the page may be stored in the cache for 300 seconds. Both the web browser itself and proxies in between the web server and the web browser are allowed to store the page in their cache.

The header I suggest, based on how the forum software phpBB3 handles it, is the header: Cache-Control: private, no-cache="set-cookie".

This header tells that no proxies should cache the page but that the browser may. Also it tells the browser not to cache the "set-cookie" header.

The problem with MLF and IE is not that the page gets in the cache, but that IE does not check with the server if the page has changed. By setting the cache control to Cache-Control: public, max-age=300, I think that IE thinks that this page probably won't change in the next 300 seconds. Think of a news article for example. In the HTTP 1.1 standard I don't see a requirement for the web browser to check with the server if the page has changed, unless max-age has expired. In other words, I think IE is following the HTTP 1.1 standard about cache.

The header Cache-Control: private, no-cache="set-cookie" allows cache, except of the set-cookie header. I'm not entirely sure, but I think that the use of no-cache="set-cookie" forces IE to do a request to the web server in order to get the new set-cookie header, and when doing that it also sees if the page has been changed.

The header Cache Control: No-cache tells the web browser to not use the cache at all. It means that it always have to load the entire page from the server. Therefore, the use of Cache Control: No-cache uses more bandwidth than the use of Cache-Control: private, no-cache="set-cookie" since the web browser in the later case only needs to load the headers of the page from the server and not the entire page, unless the page has changed.

The header Cache Control: No-store tells the web browser to not store the web page in the cache at all. This is useful for sensitive data like bank transactions. If the web server allows you to do bank transactions and that the web page shows the latest bank transactions, you don't want that information to be stored in the cache on the client's hard drive where other people may be able to access the data. In this case, there is no reason to deny the web client to store the page in the cache since there is no sensitive data on the page (like bank transactions).

The header Cache-Control: private, max-age=300 may give the same result as Cache-Control: public, max-age=300, in the meaning that the web browser may interpret it that the page will probably not change in the next 300 seconds. And we don't want that. It's important that the browser checks on every request if the page has changed. It don't need to reload the entire page on each request, but the browser needs to ask the web server if the page is changed.

The header Cache-Control: private, must-revalidate is for special cases. You can read the HTTP 1.1 standard about must-revalidate for more information.

The header Cache-Control: no-cache, no-store tells the browser to not cache the page and to not store the page in the cache. I don't think this is nessesary.


One of the largest web forum software, phpBB, is using the header: Cache-Control: private, no-cache="set-cookie".

In my forum, with 2000 users, everything works fine since I changed to the code:
header('Cache-Control: private, no-cache="set-cookie"');

My users uses different web browsers, like IE, Firefox, Chrome, Android and iPhone/iPad. If something doesn't work, they tell me. And I haven't heard anything that would indicate that the forum would have problems with cache.

Best regards,

Complete thread:

 RSS Feed of thread

powered by my little forum