Details
-
Suggestion
-
Status: Gathering Interest (View Workflow)
-
Resolution: Unresolved
-
None
-
None
Description
Problem
- With Crowd 4.4.1
When trying to reset the password there's no cache-control, but if you try to check the header when logged in the crowd for Applications, Directories, Users, and Audit logs the cache-control solution is implemented and working as expected.
Examples
Example from user URL:
Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Language: en-US
Content-Length: 0
Content-Security-Policy: frame-ancestors 'self'
Date: Thu, 22 Dec 2022 19:07:21 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=20
Location: /crowd/console/secure/user/browse.action?directoryId=131073&updateSuccessful=
Pragma: no-cache
Set-Cookie: crowd.token_key=VZhNJ9NQ672uN-dBqg4mlAAAAAAAAgABZ21hdHRvcw; Path=/; HttpOnly
X-ANODEID: e37171b7-f913-4922-a185-1f8c01f02d06
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Example from forgotten password URL's:
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: frame-ancestors 'self'
Content-Type: application/json;charset=UTF-8
Date: Thu, 22 Dec 2022 19:04:47 GMT
Keep-Alive: timeout=20
Set-Cookie: crowd.rememberme.token=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/crowd; HttpOnly
Transfer-Encoding: chunked
vary: accept-encoding
X-ANODEID: e37171b7-f913-4922-a185-1f8c01f02d06
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
This is missing from the header in the Forgotten Password:
Cache-Control: no-cache, no-store
Pragma: no-cache
Suggested Solution
Update the header with the no-cache-control for the Forgotten password URL.