Caching headers being overridden by CookieAuthenticationHandler

[scalablecory]

From @leealexander on Monday, October 7, 2019 8:42:22 AM

Issue Title

Caching headers being overridden by CookieAuthenticationHandler

General

The CookieAuthenticationHandler in .netcore 2.2 overrides cache headers previously set by ResponseCacheAttribute.

Moving the "app.UseResponseCaching();" in the config before or after the adding of the " app.UseAuthentication();" makes no difference as the CookieAuthenticationHandler hooks into Context.Response.OnStarting.

Basically my scenario I have no-store and no-cache set and CookieAuthenticationHandler blows away the no-store portion. In the case of a challenged authentication it allows the user to click back from a login screen.

Is this correct behaviour? Shouldn't the ApplyHeaders code in the CookieAuthenticationHandler honour the no-store header if it already exists?

Regards
Lee

Copied from original issue: dotnet/core#3564

[blowdart]

@Tratcher

[Tratcher]

Shouldn't the ApplyHeaders code in the CookieAuthenticationHandler honour the no-store header if it already exists?

Trying to combine headers gets complicated. A simpler solution would be for CookieAuthenticationHandler to set no-store itself. This has been proposed before but we haven't seen compelling arguments for no-store.

[analogrelay]

A simpler solution would be for CookieAuthenticationHandler to set no-store itself

Let's do this in 5.0 then.