-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticated response caching is not supported? #6836
Comments
@jholovacs is this your question? Warning Disable caching for content that contains information for authenticated clients. Caching should only be enabled for content that doesn't change based on a user's identity or whether a user is signed in. |
It's related to that warning, more to the nature of "why would there be a
caching mechanism that would not allow you to use it in a significant
number of cases where it would be desirable to use?" I don't have a case
study in front of me, but it seems that most api calls written nowadays are
authenticated in some manner, or should be.
…On Sun, Jun 3, 2018 at 3:49 PM, Rick Anderson ***@***.***> wrote:
@jholovacs <https://github.com/jholovacs> is this your question?
Warning
Disable caching for content that contains information for authenticated
clients. Caching should only be enabled for content that doesn't change
based on a user's identity or whether a user is signed in.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6836 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABr4dEClQjOtnWx75PkgRH6eDUOP1d3oks5t5D2ugaJpZM4UYLjF>
.
|
The warning says Disable caching for content that contains information for authenticated clients. that's it. It doesn't stop you from doing that. It's telling you not to enable caching containing information (personal information, etc). See https://docs.microsoft.com/en-us/aspnet/core/security/gdpr?view=aspnetcore-2.1 |
... and how is that significantly different from previously stated? We're
still in the realm of, "here's this nifty means of caching stuff so you
don't have to hit the database all the time, but oh yeah don't use it on
anything if you care about security at all, which should be darn near
everyone"... no matter how I look at this, it seems a strange architecture
choice. Since authentication verification is unrelated, why not allow the
authentication to happen first if an authentication mechanism exists, and
then return cached objects afterwards? I do not see the reason to make
this an either/ or scenario.
…On Sun, Jun 3, 2018 at 5:26 PM, Rick Anderson ***@***.***> wrote:
The warning says *Disable caching for content that contains information
for authenticated clients.* that's it. It doesn't stop you from doing
that. It's telling you not to enable caching containing information
(personal information, etc).
See https://docs.microsoft.com/en-us/aspnet/core/security/gdpr?
view=aspnetcore-2.1
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6836 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABr4dLrvyatjTWurXdX5evh0zm76eKPzks5t5FSLgaJpZM4UYLjF>
.
|
I also don't quite understand reasons why caching for authenticated clients is not supported. IMO there are no reasons to not support it for particular authenticated client (like VaryByApiKey with possible combination with other VaryByQuery). It seems like a valid scenario to me. Can somebody please elaborate? |
Thanks for contacting us. |
I think that warning is general to HTTP caching concerns, not specific to ASP.NET Core. This document explains how to implement caching in ASP.NET Core for a person who knows what they're trying to accomplish. Information on HTTP caching, potential issues, etc. are quite extensive and would appear to be outside the scope of this document. It might be good if the warning had a link out to a resource that explains the issue though so people could more easily get the information they need to resolve the concern the warning raises. From what I would guess though, this is referencing the proxy cache problem (which might also be a problem with the middleware server-side caching). To illustrate one example: User A makes a request to server using a general URL. Server sees User A has made the request and responds with data customized to what User A can see. It knows the content won't change for some time so it tacks on cache headers to let the browser know the response can be stored and future requests within a certain time can be satisfied from the local cache. A proxy appliance (or server-side caching middleware?) between the user and server observes the request and notes the response headers say the conent is static for some time. User B makes a request to the server using the same general URL. The proxy appliance notes the request exactly matches a previous requests, it notes is has a response cached that is still valid and responds with that. The server (your controller) is never aware the request was made because the proxy handled it. User B now has User A's data. This problem used to be much worse a long time ago when sites didn't use HTTPS and proxy appliances were aggressive and misconfigured but it's still a potential issue in various situations and might be applicable to the server-side cache that responds directly without calling your controller methods. From the point of view of this document telling people how to configure the caching in ASP.NET Core, the warning is a good shortcut to make people aware there is a concern they should be aware of in case they didn't first start with understanding fully what and how HTTP caching works and is just expecting the library to take care of it all for them. The doc would be improved by linking the warning to a more comprehensive document on caching and specifically the problem around authenticated (or really user-specific) content in my opinion to help people find a good explanation on the problem and the right way to handle it. |
Isn't 'private' cache control directive addresses that?
But it's 2019 now, I assume all caching solutions have fully adopted the standard and it's not possible to have a completely bullet-proof solution since, like you said, proxy can be misconfigured and even apply cache for non-cachable private resources. IMO, Trying to workaround possible misconfigurations is a dead end, it's better to assume the standard. And as far as I understand, the original question was not in regards with documentation but with the implementation. Currently it completely disables cache for such scenarios and even if you know what you are doing you'll not be able to configure it, you'll have to redo the whole caching layer. |
its mentioned here as warning but it's mentioned clearly that its disabled in the middleware section "Authorization | The response isn't cached if the header exists." ! however , I've tried it and it is working fine even if there is Authorization attribute on my controller . the question here , is it OK to use VaryByHeader = "Authorization" to avoid mixing cached data between different users ? |
@aseelawi whenever I pass an Authorization header, it simply ignores the caching. "The Authorization header must not be present." I'm using OAuth Client Credentials Flow, to ensure the protection of the APIs. Is not a user authentication but a Machine! So the only alternative that I see is to implement my own Middleware/Attributes. |
It is not caching for me in Dotnet 5. If I turn authentication off on the API, it caches. Very sad. |
Hi. There would be hundreds of use cases where in you would want to cache values for authenticated users. I hope the team looks at this issue seriously. |
It's not true. I can not use ResponseCache with authorization header because one of the conditions for caching in response caching middleware is "The Authorization header must not be present.". |
Still valid to this day. Why can't I cache my static responses AND protect them. I don't really understand the reason behind this. |
In .Net 7, you could implement a customised IOutputCachePolicy for minimal API and do caching as your wish. However, it needs lots of extra code to write such as varyByValue for the authenticated user, and when to invalidate the cache so on and so forth, which makes me feel try to improve the code and reduce the usage of cache for all is not a bad idea. |
I will provide some code that worked for me. I used Bearer token authentication for protecting my api endpoints and used custom caching policy in order to save resources for my .net 7 web api. First you create below custom cache policy class:
Later, in Program.cs, you enable OutputCache with the above custom policy option:
Then, above your specified endpoint inside your controller you place the below annotation above the endpoint you want to cache regardless of authorization headers (but enabled ofc!), And you are done! |
Kinda sucks that this problem is now in kindergarden, and we still cannot protect static outputs with built-in caching without customizing it (Which is now a maintenance burden) as a result of an artificial restriction... And it's not even recognized as a valid problem. |
@CostasCF Note that Output Caching and Response Caching are two separate issues. Completely agree with previous comments. We should have this for Authorized pages. At least be able to write a policy to update the default one, like you can for Output Caching (the visibility of the necessary elements of the policy won't let this hapen for ResponseCache). I'm currently in the process of trying to rewite the Response Caching object to do this. Bad idea, but left with no other option. |
Why? It seems quite silly to make the assumption that authenticated clients would not want or need a caching mechanism. How much of what we do with web api's does not require authentication?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: