Agent Guides › Web Agent Guide › Protecting Web Applications › Control How HTTP Header Resources are Cached

Control How HTTP Header Resources are Cached

You can control how the Web Agent handles cache-related request headers by setting the following parameter:

AllowCacheHeaders

Specifies whether the Web Agent removes the following cache-related HTTP headers from requests for protected resources before passing those requests to the web server:

• if-modified-since
• if-none-match

This setting affects whether a browser uses cached pages, but it does not affect auto-authorized resources (including those matched by the values in the IgnoreExt parameter). Caching of auto-authorized resources is determined by the settings of the web server and the browser.

This parameter uses the following values:

• Yes—The Agent does not remove any cache-related HTTP headers. SMSESSION cookies are still tracked to validate the session. When the session expires, the Web Agent sends an updated SMSESSION cookie with a 304 "not modified" response for resources stored in the cache but not modified by the web server since the time indicated in the if-modified-since HTTP header.

Important! When this parameter is set to yes, pages which are personalized by an application on the web server but do not have the appropriate cache control headers set may become cached in the browser or any HTTP intermediary. This can introduce unexpected behavior and allow a browser to save sensitive data to the disk.

• No—The Agent removes the cache-related HTTP headers only from requests for protected resources. The web server treats the request as unconditional, and does not perform any cache-validation operations.
• None—The Web Agent removes all cache-related headers for protected and unprotected resources.

For terminated sessions, the browser will not use cached content, regardless of the value in the AllowCacheHeaders parameter.

The settings of this parameter affect the following parameters:

• LogOffURI—If you are also using the LogOffURI parameter, we recommend setting the value of the AllowCacheHeaders parameter to no. Otherwise, a cached logoff page may be served to users and their sessions are not terminated properly.

Default: No

Limits: Yes, No, None

To remove all cache related headers from protected and unprotected resources, set the value of the AllowCacheHeaders parameter to none.

Note: For more information about HTTP 1.1 caching mechanisms, see RFC 2616, Section 13 "Caching in HTTP."