Hey gang,

I have a quick question regarding the Cache-Control header (or lack thereof).

I built a fairly large php/mysql based website that is very interactive for users, much like forums are. Though there is a user registration, most pages are visible to the public, and being a registered member only gives you access to post comments etc... similar to a blog.

Right now, all my php pages are served with NO Cache-Control header... it is not sent to the client at all. But on these very pages I use cookies to test whether visitors are logged in to my site, and if so, that page will display things like form fields and text boxes where they can submit comments. Unregistered users simply don't see those forms.

This is all pretty standard stuff... but I am worried that a registered user will get one of these pages cached in a proxy cache or public cache (since there is no explicit Cache-Control header sent) and didn't know whether or not I was vulnerable to random unregistered people pulling a public cache of a page on my site that was only meant to be seen by registered users.

I hope my questions makes sense.

And if this is the case... do all I need to do is append a 'Cache-Control: private, must-revalidate' header to all my php pages?

I guess the biggest question is, am I at risk by not using a Cache-Control header... at risk of my "registered-only" page content being publicly cached, that is?

Thanks so much for any help and guidance.

Potentially there is a slim risk that some (badly) configured proxies are over agressive and will send back cached data to users they shouldn't... but that user will never be able to perform actions of the cached account. If they tried to (for e.g.) delete a post because they got a cached admin page, the system should block this due to the proper accounts permissions.

In my global includes, i have 2 cache busting lines that seem to work for every cache on the web.

<?
// Do NOT cache page if at all possible.
header("Cache-Control: no-cache");
header("Pragma: no-cache");
?>