This module does not ensure (cacheable) pages are served only to people who have entered the correct credentials for the Basic Authentication protection.
One of our clients' websites contains a view that is protected by Basic Authentication. This view outputs JSON and is cacheable by default.
Once someone logs in using the basic authentication, the view is cached by Drupal Page caching. The next request to the view page does not require authentication (while access also is cached). The headers returned for the view page are X-Drupal-Cache: HIT.
We should ensure the page is not cached while using Basic Authentication. The tests in this module should also include a scenario for anonymous users.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | basic_auth-disable-caching-2997430-2.patch | 537 bytes | sjerdo |
Comments
Comment #2
sjerdoAttached a patch which ensures the page is not cached while using Basic Authentication.
Still needs tests.
Comment #4
roderikThank you. Added patch; committed.