Wednesday, April 11, 2007

https not working for dynamically-generated files

We generate Excel and other Microsoft Office files on the fly using Java Servlets and JSPs. After moving a site to https things stopped working. Excel complained it could not open the file. Looking at headers returned showed no clear difference between http and https. Things worked just fine in Firefox.

As it turned out, the answer lies in the directives to turn off caching. Ever since Internet Explorer 4.0, there is a flaw in the way caching is handled under https. The answer is to modify the code to set the following headers (setHeader() in the servlet API).

Pragma: public
Cache-Control: max-age=0

For more details, see

http://forum.java.sun.com/thread.jspa?forumID=45&threadID=233446
http://downside.ch/blog/?p=26

1 comment:

jf said...

Beware: this code should only be used for serving documents over https. The standard recipe should still be used for documents.