I am running some tests to see how squid handles a 403 status. The problem is that squid seems to be caching the 403 (despite 'Cache-Control: no-cache, no-store, must-revalidate'), so that even if subsequent responses from the origin server (for the same request) contain a 304 I still get the 403! I have a PHP script and am using Poster to submit GET requests to it (to simulate an XHR and eliminate the browser as a source of confusion). I'm using max-age=0. in order to force the request to be submitted to the origin server each time. The first time I submit the request: http://localhost:80/GetandPost3.php?thename=Fred&theage=11 the PHP script looks like this: <?php $eTag = 'mmm3'; $cc = 'max-age=0'; header('Cache-Control: '.$cc); header('Etag: '.$eTag); ?> <html> The name is <?php echo $_GET["thename"]; ?>. The age is <?php echo $_GET["theage"]; ?>. </html> The response is as expected (with a 200 status). Now I change the PHP script to the following and submit the same request again: <?php $eTag = 'mmm3'; header('HTTP/1.1 403 Not Authorized'); header('Cache-Control: no-cache, no-store, must-revalidate'); header('Etag: '.$eTag); ?> <html> The request is NOT AUTHORIZED </html> :Again, the response is as expected: 403 Not Authorized. Now I change the PHP script to return a 304 and submit the same request again: <?php $eTag = 'mmm3'; $cc = 'max-age=0'; header('HTTP/1.1 304 Not Modified'); header('Cache-Control: '.$cc); header('Etag: '.$eTag); ?> This time I expect to see the same response as for request #1, but instead I am still getting a 403! Why is squid caching the 403 entry despite header('Cache-Control: no-cache, no-store, must-revalidate'); ??? (I tried removing the Etag header in the 2nd test but still get the same results). Thanks. - Dave
