This module does not ensure (cacheable) pages are served only to people who have entered the correct credentials for the Basic Authentication protection.

One of our clients' websites contains a view that is protected by Basic Authentication. This view outputs JSON and is cacheable by default.

Once someone logs in using the basic authentication, the view is cached by Drupal Page caching. The next request to the view page does not require authentication (while access also is cached). The headers returned for the view page are X-Drupal-Cache: HIT.

We should ensure the page is not cached while using Basic Authentication. The tests in this module should also include a scenario for anonymous users.

CommentFileSizeAuthor
#2 basic_auth-disable-caching-2997430-2.patch537 bytessjerdo

Comments

sjerdo created an issue. See original summary.

sjerdo’s picture

Status: Active » Needs work
StatusFileSize
new537 bytes

Attached a patch which ensures the page is not cached while using Basic Authentication.

Still needs tests.

  • roderik committed 0007ba1 on 7.x-1.x
    Issue #2997430 by sjerdo, roderik: Caching should be disabled for...
roderik’s picture

Status: Needs work » Fixed

Thank you. Added patch; committed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.