使用授权进行HTTP缓存

本文介绍了使用授权进行HTTP缓存的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

根据OAuth规范，如果来自包含授权标头的Web服务器的响应，HTTP缓存是否有用？

Given a response from a web server that contains an Authorization header as per the OAuth spec does HTTP caching fail to be useful?

Request1 Authorization : AUTHTOKEN
Request2 Authorization : ANOTHERAUTOTOKEN

在这种情况下，给定HTTP缓存，第二个请求将返回第一个用户的缓存响应。这对于用户通用的内容来说不是问题，但是对于共享缓存为其他用户提供响应感觉不对。

In this case given HTTP caching the second request would return the cached response for the first user. This isn't a problem for content that is generic across users, but this feels wrong for a shared cache to be providing responses for other users.

同样如果我们是使用 Vary 标题并按授权进行更改，这意味着我们的缓存会为每个标记存储一个缓存副本，这肯定会使HTTP缓存的目的。浏览器本地缓存（私有）可以正常工作，但这仍然意味着每个用户至少一次来自每个用户的原始请求。

Likewise if we were to use a Vary header and vary by Authorization, this means our cache would store a cached copy per token which surely defeats the purpose of HTTP caching. The browsers local cache (private) would work fine, but this would still mean an origin request from each user at least once per session.

编辑

有问题的服务要求对所有请求进行授权，但是根据我的阅读内容，不应该提供包含授权标头的共享缓存的响应除非必须重新验证，公共和s-maxage存在。

The service in question requires Authorization for all requests, however based on what I've read, serving responses from a Shared cache that include Authorization headers shouldn't be done unless must-revalidate, public, and s-maxage are present.

因此，我的问题是，如果API具有通用（所有用户的响应相同）和用户特定的响应，那么缓存是否可能？拥有s-maxage和公共标头但是授权标头意味着如果我正确地遵循RFC，缓存将解析UserA对UserB，UserC等的响应。

My question therefore is, given an API that has both generic (responses the same across all users) and user specific responses, is caching even possible? Having s-maxage and public headers but an authorization header would mean that the cache would resolve UserA's response to UserB, UserC and so on if I'm following the RFC correctly.

the

使用授权进行HTTP缓存

问题描述

推荐答案