|
|
|
The AllowCacheHeaders attribute tells the SAML Affiliate Agent how to handle cache-related request headers. Specifically, this settings tells the Agent whether or not it should remove the if-modified-since or if-none-match request headers before it passes a request to the web server where it is installed. The action taken by the SAML Affiliate Agent affects whether or not a browser uses cached pages.
Note: This attribute does not affect auto-authorized resources. Auto-authorized resources include those matched by the IgnoreExt setting. For these files, the default cache operations are determined by the browser’s and web server’s own cache settings.
The three options for this attribute are:
If you enter this option, the SAML Affiliate Agent ignores cache-related headers and takes no action. The default cache operations are determined by the browser’s and web server’s own cache settings.
Important! Setting AllowCacheHeaders to Yes introduces security issues. Pages which are personalized by an application on the web server but do not have the appropriate cache control headers set may become cached in the browser or any HTTP intermediary. This can introduce unexpected behavior and allow a browser to save sensitive data to the disk.
Additionally, setting this parameter Yes prevents the SAML Affiliate Agent from enforcing session timeouts across all resources. If a resource is served from browser cache, the Agent has no chance to get the SMSESSION cookie and validate the session. Therefore, be sure to evaluate your session security needs before enabling this setting.
If you choose this option, the SAML Affiliate Agent removes the cache-related headers from requests for protected resources. The web server now treats the request as an unconditional request, and will not perform any cache validation operations.
Note: If you are configuring the LogOffURI, we recommend accepting this default value. Otherwise, the browser will deliver a cached version of the LogOffURI resource and the user session will not be terminated.
If you specify this option, the SAML Affiliate Agent tells the web server to remove all cache-related headers for protected and unprotected resources.
If the session has been terminated, the browser will not use what is in cache, regardless of this setting.
Note: See RFC 2616, Section 13 "Caching in HTTP" for more information about HTTP/1.1 caching mechanisms"
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |