Reputation: 18318
Are server side header redirects cached?
If I do:
index.php
<?php
header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1.
header('Pragma: no-cache'); // HTTP 1.0.
header('Expires: 0'); // Proxies.
header("Location: http://apple.com",TRUE,307);
?>
Then replace index.php with new content that does NOT have a header redirect, is it possible that the browser caches the header redirect? I know this can happen with client side redirects, but I am not sure if it will happen with server side redirects. (IT doesn't appear to based on my testing, but I want to be sure.
EDIT:
It looks like I need to do a 307 redirect for it to NOT be cached by browser. See: http://www.php.net/manual/en/function.header.php#78470
I am also adding cache control headers to prevent caching just in case the 307 is cached by browser.
MY Goal is:
- Page should NOT be cached. When the header location redirect is removed it should NOT be redirected in any way.
Will the above code accomplish this. (My initial testing appears so)
Upvotes: 1
Views: 2384
Answers (2)
Reputation: 21817
###Prevent caching###
Unfortunately there's no way you can be a 100% sure that the response will not be cached :(
The reason is that you simply don't have control over all machines the response travels on. There might be badly configured proxies along the way, or even clients that will cache the response when they should not.
The only thing you can do is create a response that has a very high probability of not being cached.
###Status code###
I therefor recommend you use the 307 (Temporary Redirect) status code for the redirect. It states the response should not be cached (unless specified by Cache-Control or Expires headers).
Other options are:
- 303 (See Other), but it allows the response of the second request (after being redirected) to be cached.
- 302 (Found), but there are (relatively many) clients that have implemented this as if it were a 303.
###Cache control headers###
According to the specs, cache control headers aren't necessary. And as far as I know all major browsers and proxies follow the specs regarding 307 correctly.
But just in case you might hit a client that will cache by default, add the following headers:
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
###Summarized in PHP###
header('HTTP/1.1 307 Temporary Redirect');
header('Cache-Control: no-cache, no-store, must-revalidate');
header('Expires: Thu, 01 Jan 1970 00:00:00 GMT');
header('Pragma: no-cache');
header('Location: http://apple.com', true, 307);
###Off-topic###
Note that it's wise to include a small text with a link to the new location in the body of the response (unless the request method was HEAD). This makes sure that when a client doesn't support HTTP/1.1, the user still gets some info on where the resource can be found.
Upvotes: 3
Related Questions
- Will PHP script be executed after header redirect?
- Header redirect not refreshing redirect page
- How secure is a header redirect? Can it be bypassed?
- Header Redirect Conflict Confusion
- Is header redirect yields different behavior in different browsers
- PHP Permanent Redirection
- Will all code after redirect header in PHP always get executed?
- php caching and .htaccess caching
- PHP header redirect and HTML refresh
- Does PHP Header Redirect forces browser to reload images and not use cached images