Added no-cache headers to all outgoing response messages.

DotNetOpenAuth · Oct 21, 2010 · 2a57d2b · 2a57d2b
1 parent 4cb6cae
commit 2a57d2b
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/DotNetOpenAuth/Messaging/Channel.cs b/src/DotNetOpenAuth/Messaging/Channel.cs
@@ -275,14 +275,22 @@ public OutgoingWebResponse PrepareResponse(IProtocolMessage message) {
 						directedMessage.Recipient != null,
 						"message",
 						MessagingStrings.DirectedMessageMissingRecipient);
-					return this.PrepareIndirectResponse(directedMessage);
+					result = this.PrepareIndirectResponse(directedMessage);
+					break;
 				default:
 					throw ErrorUtilities.ThrowArgumentNamed(
 						"message",
 						MessagingStrings.UnrecognizedEnumValue,
 						"Transport",
 						message.Transport);
 			}
+
+			// Apply caching policy to any response.  We want to disable all caching because in auth* protocols,
+			// caching can be utilized in identity spoofing attacks.
+			result.Headers[HttpResponseHeader.CacheControl] = "no-cache, no-store, max-age=0, must-revalidate";
+			result.Headers[HttpResponseHeader.Pragma] = "no-cache";
+
+			return result;
 		}
 
 		/// <summary>