0

I have a site running on Apache HTTPD 2.4.39 and when authentication is enabled the last-modified header is changed from the files last modified date/time to the request date/time.

If the authentication is removed then the last-modified goes back to being the files last modified date/time.

It is using mod_dbd to authenticate against a MySQL table and I cannot see anything in the Apache configuration that is doing modifying the last-modified header value.

I had the same setup on a previous server, using a slightly earlier version of 2.4 (not sure which) and didn't have this issue, I've looked in the Apache HTTPD bug tracker and can't find anything about this being an issue.

Has anyone else ever seen this behaviour and have any idea what might be causing it and how to resolve it?

andrewdixon
  • 228
  • 3
  • 10
  • Seems reasonable to me? You usually don't want a cached page for one user being displayed to another user. Steam's store had a bug like that and it was a big security deal. – jordanm Mar 05 '20 at 17:47
  • This is for assets that can be cached, e.g. not user-specific, but are protected, so can be cached but need validating using a request that will then return a 304 response. Like I said, this worked previously. – andrewdixon Mar 05 '20 at 19:03
  • As a temporary "workaround" for this, I've unset the "Last-Modified" header and set the etag to be based on the file size only. Not a great solution, but as the assets never change this should be ok and it is caching on the CDN provider and still validating for authentication. – andrewdixon Mar 06 '20 at 15:44

0 Answers0