1

If I do:

index.php

<?php
header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1.
header('Pragma: no-cache'); // HTTP 1.0.
header('Expires: 0'); // Proxies.
header("Location: http://apple.com",TRUE,307);
?>

Then replace index.php with new content that does NOT have a header redirect, is it possible that the browser caches the header redirect? I know this can happen with client side redirects, but I am not sure if it will happen with server side redirects. (IT doesn't appear to based on my testing, but I want to be sure.

EDIT:

It looks like I need to do a 307 redirect for it to NOT be cached by browser. See: http://www.php.net/manual/en/function.header.php#78470

I am also adding cache control headers to prevent caching just in case the 307 is cached by browser.

MY Goal is:

  • Page should NOT be cached. When the header location redirect is removed it should NOT be redirected in any way.

Will the above code accomplish this. (My initial testing appears so)

Chris Muench
  • 17,444
  • 70
  • 209
  • 362
  • What cache-control headers do you send in that response? – Gumbo Apr 05 '14 at 23:07
  • I am not sending any. The goal I am trying to accomplish is only have a redirect there when I am doing an application update. Then when the application is up to date I want the redirect to go away. I don't want it cached in any way and it needs to work right away when the code is pushed and then when I remove the code it must not cache. – Chris Muench Apr 05 '14 at 23:15
  • Well, [response cacheability](http://tools.ietf.org/html/rfc2616#section-13.4) depends on the cache-control. – Gumbo Apr 06 '14 at 05:38
  • To me it sounds like a 307 will not be cached. Do you think I should put headers just in case? What would these headers be? – Chris Muench Apr 06 '14 at 15:18
  • “A response received with any other status code (e.g. status codes 302 and 307) MUST NOT be returned in a reply to a subsequent request **unless there are cache-control directives or another header(s) that explicitly allow it**. For example, these include the following: an Expires header (section 14.21); a "max-age", "s-maxage", "must- revalidate", "proxy-revalidate", "public" or "private" cache-control directive (section 14.9).” – Gumbo Apr 06 '14 at 17:18
  • Just inspect what headers the server actually returns. – Gumbo Apr 06 '14 at 17:19
  • I read that same quote from the link and don't understand it exactly. Could you explain it differently than the document? Is it saying that it doesn't get cached? – Chris Muench Apr 06 '14 at 20:15
  • Responses have an implicit cacheability as stated. However, one can change the that cacheability by using cache-control header fields. So, for example, a 302 redirect response without cache-control header fields must not be returned by a cache (implicit cacheability). But if the response changes its cacheability by specifying `Cache-Control: public`, any cache may cache and return the cached response. – Gumbo Apr 06 '14 at 20:27
  • @Gumbo so it means everything is cacheable by default, but if you change headers to 302 or 307 and/or use headers then it could not be cached? – Chris Muench Apr 08 '14 at 00:47
  • No, with 302 and 307 it’s the exact opposite: they are not cacheable by default but can be made cacheable. – Gumbo Apr 08 '14 at 04:48
  • @Gumbo got it so 307 is not cachable. So if you look at my example in the question, I can probably remove the 3 headers before the location redirect? – Chris Muench Apr 08 '14 at 17:27
  • Oh, haven’t seen that you’ve edited your question. Yes, you may remove the additional headers. – Gumbo Apr 08 '14 at 18:28
  • @Gumbo will it do any harm leaving the headers there? I just want to 100% make sure this doesn't get cached. I haven't heard of a 307 redirect until now. Do all browsers support it correctly? – Chris Muench Apr 08 '14 at 19:52
  • The HTTP 1.1 specification is from 1999; browser vendors should have had enough time to implement it. But I’m actually not sure how browsers handle caching. Vendors have had implemented some odd features and behaviors to adapt real-world ‘best practices’ that may contradict the specification. – Gumbo Apr 08 '14 at 20:05
  • If you want to post an answer summerizing that headers are indeed cached in certain situations such as 301, but not for 302 and 307, I will accept. – Chris Muench Apr 08 '14 at 20:15

2 Answers2

3

###Prevent caching###

Unfortunately there's no way you can be a 100% sure that the response will not be cached :(

The reason is that you simply don't have control over all machines the response travels on. There might be badly configured proxies along the way, or even clients that will cache the response when they should not.

The only thing you can do is create a response that has a very high probability of not being cached.

###Status code###

I therefor recommend you use the 307 (Temporary Redirect) status code for the redirect. It states the response should not be cached (unless specified by Cache-Control or Expires headers).

Other options are:

  • 303 (See Other), but it allows the response of the second request (after being redirected) to be cached.
  • 302 (Found), but there are (relatively many) clients that have implemented this as if it were a 303.

###Cache control headers###

According to the specs, cache control headers aren't necessary. And as far as I know all major browsers and proxies follow the specs regarding 307 correctly.

But just in case you might hit a client that will cache by default, add the following headers:

Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

###Summarized in PHP###

header('HTTP/1.1 307 Temporary Redirect');
header('Cache-Control: no-cache, no-store, must-revalidate');
header('Expires: Thu, 01 Jan 1970 00:00:00 GMT');
header('Pragma: no-cache');
header('Location: http://apple.com', true, 307);

###Off-topic###

Note that it's wise to include a small text with a link to the new location in the body of the response (unless the request method was HEAD). This makes sure that when a client doesn't support HTTP/1.1, the user still gets some info on where the resource can be found.

Mike Weir
  • 3,094
  • 1
  • 30
  • 46
Jasper N. Brouwer
  • 21,517
  • 4
  • 52
  • 76
1

No, a browser won't cache a server sided redirect.

Pankucins
  • 1,690
  • 1
  • 16
  • 25