Why is a file still accessible (until cache is cleared) when anonymous access is denied through web.config on the parent folder?

Question

I have a asp.net mvc website. And I want to deny access to a particular folder and its contents on this website. I have done that in web.config denying access to anonymous users, using the following:

<system.web>
    <authorization>
      <deny users="?" />
    </authorization>
</system.web>

Now I am facing a problem, when I try to access a file from this folder after logging out.

If I try to access any file, say a text file, without logging in, from the browser URL, it redirects me to the login page as expected.

The URL for example is: "https://www.mywebsite.com/Content/MyNotepad.txt".

If I hit this above URL after logging in, the file opens, again as expected.

But it is after the logout that I am facing the problem. The file remains accessible even after signing out. Its only when I to do a Ctrl+F5 it redirects me to the login page.

I know this is some caching that is causing this to happen, but I am unable to find a solution for this. Any help is appreciated.

Answer 1

If the file is cached, then the browser doesn't need to hit the server to get it.

If the browser doesn't hit the server to get it, then what does it matter whether the server considers it to be "logged in" or not?

If you set a cache setting of max-age=0, must-revalidate, proxy-revalidate then the browser will immediately consider the response as stale, and that a stale response is never acceptable, and so hit the server again.

This can still be used with e-tag and/or last-modified because the server can still return a 304 to indicate that the cached response is indeed still usable. Hence you get the benefits of caching while maintaining a check on whether the user is logged in.

If however the resource is so sensitive as to make even users poking about in browsers' caches manually an unacceptable leak, you will need to set a no-cache cache header to prevent even that.