I am running DotNetNuke 7.2.2 Community Edition which by default returns all HTML-pages with
Cache-Control: private
in the response header. To generation of static HTML pages on the DotNetNuke platform typically takes 200-300 ms on our server, but when mixed with a caching proxy on basis of Apache HTTP Daemon v2.2 which caches pages, it only takes 20-30 ms when the page is in the cache of Apache.
The cache-control: private in the header can be ignored using
CacheEnable disk /
CacheRoot /path/to/disk/cache
CacheDirLevels 3
CacheDirLength 5
CacheIgnoreNoLastMod on
CacheStorePrivate on
CacheStoreNoStore on
CacheIgnoreCacheControl on # Needed!
CacheIgnoreQueryString off
CacheDefaultExpire 86400
CacheMaxFileSize 100000
CacheMaxExpire 172800
This works fine as long as no one access the website when authenticated. When working authenticated, the pages returned when you are authenticated are also cached and can provide a hook for a security breach.
When authenticated, the URL-s are still the same, so you can not filter on the URL to avoid caching taking place.
Is there any other way to convince Apache to not cache pages from DotNetNuke when logged on?
My first thought was caching based on cookie as per this article: Apache caching based on cookie. But according to the answer on that article, you would need to explicitly add a no-cache header which may be possible to add to a skin token that is on every page to produce the header based on the Request.Authenticated flag.