Why does session_start() spit out cache control headers?

Why does session_start() spit out cache control headers?

By default, PHP does not emit any cache control header (intermediary caches like proxies can cache this page). However, when session_start() is used, it spit out:

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

When you use sessions, it is possible that you customize each page, and these customized pages might contain sensitive information. If an intermediary caches this sensitive information, it might be returned to the wrong user.

As a side effect of the above headers, a stateful PHP application can so easily encounter "Page Has Expired" warnings. To avoid this, we can set should set cache control to private:

Cache-Control: private

We can use header() to set this, but a better approach is to change the session.cache_limiter PHP configuration directive:

ini_set('session.cache_limiter', 'private');

With it set to private, the following Cache-Control header is sent:

Cache-Control: private, max-age=10800, pre-check=10800

The max-age and pre-check directives are given in seconds, and these can be used to limit the amount of time a page is cached. The session.cache_expire PHP configuration directive, given in minutes, controls these values. The default is 180 minutes (10800 seconds).

To avoid "Page Has Expired" warnings, set session.cache_limiter to private, and make sure that any form using the POST method submits to an intermediate processing page that redirects the user to a different URL.


Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License