Item744: Malformed HTTP-Expire-header => data loss after Back-Button in https preview page

Description of the problem

I upgraded my production TWiki to Foswiki 1.0.0 (without the TWikiCompatibilityPlugin, because all needed Plugins run in Foswiki-Space) and here I've the following problem after this steps:

1. I start editing an existent page and make some changes (raw edit, I don't use a WYSIWYG-Editor)
2. I go the preview page (all my recent changes are there)
3. I push the browser's back button
4. Problem: all my recent changes are gone. The topic text is the same as it was before editing the page.

It happens with the default skin. But this problem occurs only when using the https protocol.

I appended all header communication as seen by the browser. There you can find the exact version of my browser and of the web server. The operating system is a Linux 2.6.24-22 kernel (Hardy Heron).

The cause of the problem

After several hours of testing I found the cause of this problem: Here are the headers delivered by TWiki 4.2.3:

HTTP/1.x 200 OK
Date: Mon, 12 Jan 2009 22:07:59 GMT
Server: Apache/2.2.8 (Ubuntu) mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Expires: Tue, 13 Jan 2009 22:07:59 GMT
Cache-Control: max-age=86400
Set-Cookie: TWIKISID=79a8ac622d9fc03657b7a7e23de08de2; path=/
Last-Modified: Mon, 12 Jan 2009 22:07:59 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-15

The important (and correct line) is Expires: Tue, 13 Jan 2009 22:07:59 GMT

Now take a look at the headers delivered by Foswiki 1.0.0:

HTTP/1.x 200 OK
Date: Mon, 12 Jan 2009 22:10:12 GMT
Server: Apache/2.2.8 (Ubuntu) mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Cache-Control: max-age=86400
Expires: +24h
Set-Cookie: FOSWIKISID=839a99e1dccf49c56872790ff5598b0b; path=/
Content-Length: 5523
Last-Modified: Mon, 12 Jan 2009 22:10:12 GMT
Keep-Alive: timeout=15, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

The important (and problematic line) is Expires: +24h

RFC2616 (section 14.21) on the Expires-format: The format is an absolute date and time as defined by HTTP-date in section 3.3.1; it MUST be in RFC 1123 date format

That is not the case. And that's the reason, why my Firefox forgets all the new entered changes when using the back-button on a HTTPS-preview page.

What happened?

The code for the Expiration-Code didn't change in Foswiki.pm

 my $expireHours   = 24;
        my $expireSeconds = $expireHours * 60 * 60;

        # and cache control headers, to ensure edit page
        # is cached until required expiry time.
        $hopts->{'last-modified'} = $lastModifiedString;
        $hopts->{expires}         = "+${expireHours}h";
        $hopts->{'cache-control'} = "max-age=$expireSeconds";

but now these options are not given to CGI::Header that does the right time-formatting, but now we have

 $this->{response}->setDefaultHeaders($hopts);

where all values are copied (bad in my case).

-- ChristianLudwig - 12 Jan 2009

Thank you very much for this great analysis, Christian! Congratulations!!!

I could confirm the problem with both Foswiki 1.0.0 and trunk, as stated, only using HTTPS (probably the browser is more strict under HTTPS).

Marking urgent.

-- GilmarSantosJr - 14 Jan 2009

I've fixed the unit tests (your fix added a Date header by default).

-- OlivierRaginel - 14 Jan 2009

The Date header is needed in the presence of Set-Cookie or Expires headers. I should have updated the tests, since they use Set-Cookie... thanks for the fix!

-- GilmarSantosJr - 14 Jan 2009