Browser response caching (because of wrong cache-control http header) on 302 response causes TOO_MANY_REDIRECTS when pressing browser back button after login

[guylando]

The net core web server is configured to do the following:
https://domain/ redirects 302 redirect to https://domain/Home/Welcome when user is logged off.
https://domain/ redirects 302 redirect to https://domain/Home/User when user is logged on.
https://domain/Home/Welcome redirects 302 redirect to https://domain/ if user is logged on.

If we do the following:

1. Logout(ajax) and get redirected (by javascript) to https://domain/ and from there (by the server) to https://domain/Home/Welcome
2. Login(ajax) and get redirected (by javascript) to https://domain/ and from there (by the server) to https://domain/Home/User
3. Press back button in the browser (chrome)

The expected behavior is for the browser to request https://domain/ and since the user is logged on then be redirected (by the server) to https://domain/Home/User.

If in chrome devtools network tab to check the "disable cache" then everything works as desired.
If "disable cache" is unchecked and chrome disk cache starts working then https://domain/ is returned from disk cache and redirects to https://domain/Home/Welcome which in turn redirects to https://domain/ because the user is logged on and so on causing TOO_MANY_REDIRECTS on chrome and memory leak/crash on firefox.

Assume this code design is what is desired and lets deal with what causes this bug.
The server uses net core 2.1 and has response caching middleware configured:
app.UseResponseCaching();

The server response to https://domain/ has the http headers:
cache-control: no-cache
pragma: no-cache

And seems it doesnt prevent caching. According to results of google search to solve this the server should have return no-store instead of no-cache for 302 redirects, see:
https://stackoverflow.com/questions/22495231/chrome-and-safari-caching-302-redirect/31550450#31550450

Is there some net core configuration to make 302 responses return no-store instead of no-cache?

The first bullet here mentions this issue I think: #4647 (comment)

[guylando]

Solved by adding [ResponseCache(Location = ResponseCacheLocation.None, NoStore = true)] to the Index action which handles the https://domain/ url.
Is there a way to automatically apply no-store to all 302 redirects instead of needing to add this attribute to all places? The attribute will also not be a good solution if the action can return different types of results and not only redirect.

Sounds to me that this should be handled by the ResponseCache middleware by default.

Otherwise can handle it myself by a custom middleware such as:

app.Use(async (ctx, next) =>
   {
      await next();

      if (ctx.Response.StatusCode == 302)
      {
         // Add no-store to cache-control header
      }
   }

[Eilon]

@guylando can you share a repro for this problem? It will be difficult for us to diagnose unless we can get a better idea of what code you have.

[Tratcher]

UseResponseCaching is likely unrelated here, it's server side caching, it should have no effect on client caching. Try your repro without it.

[guylando]

@Eilon @Tratcher Here is a project which reproduces the bug and the steps to reproduce are in the readme
https://github.com/guylando/MVC302RedirectCacheBug

[guylando]

Basically the 302 redirects are cached by chrome disk cache and used when pressing browser back button in non-private tab (where if devtools are open then "disable cache" is not checked) and this triggers the bug in some environments such as in the project.
I think mvc should always set no-cache no-store for 302 redirects to prevent this bug in general.

[guylando]

@Tratcher Indeed UseResponseCaching has nothing to do with the bug.

[Eilon]

Thanks @guylando , we will take a look.

[Eilon]

Hi @guylando , we discussed this within the team and we're not planning to make any changes here. Using the browser's Back button during an auth flow has many issues, so solving this one item is not likely to be a complete solution anyway.