From 5527a4c9a68203bf1e4791b7852b3c4d7826471a Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 22 Apr 2014 16:24:18 +0200
Subject: [PATCH] views,middleware: do not ever cache responses containing an
 LTPA cookie

---
 authentic2_idp_ltpa/middleware.py | 5 +++++
 authentic2_idp_ltpa/views.py      | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/authentic2_idp_ltpa/middleware.py b/authentic2_idp_ltpa/middleware.py
index 48bec85..d12ef46 100644
--- a/authentic2_idp_ltpa/middleware.py
+++ b/authentic2_idp_ltpa/middleware.py
@@ -1,8 +1,13 @@
+from django.utils.cache import patch_cache_control
+
 from . import views
 
 class LTPAMiddleware(object):
     def process_response(self, request, response):
         if request.path == '/' or request.path == '/login/':
             views.add_ltpa_token_to_response(request, response)
+            # prevent client side caching
+            patch_cache_control(response, no_cache=True, no_store=True,
+                    must_revalidate=True)
         return response
 
diff --git a/authentic2_idp_ltpa/views.py b/authentic2_idp_ltpa/views.py
index 033397e..e5d2c02 100644
--- a/authentic2_idp_ltpa/views.py
+++ b/authentic2_idp_ltpa/views.py
@@ -3,6 +3,7 @@ import urlparse
 from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpResponseRedirect
 from django.conf import settings
+from django.views.decorators.cache import cache_control
 
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth import REDIRECT_FIELD_NAME
@@ -28,6 +29,7 @@ def add_ltpa_token_to_response(request, response):
     request.session['ltpa'] = True
 
 @login_required
+@cache_control(no_cache=True, not_store=True, must_revalidate=True)
 def ltpa(request):
     '''Ask for authentication then generate a cookie'''
     next_url = request.REQUEST[REDIRECT_FIELD_NAME]
@@ -35,6 +37,7 @@ def ltpa(request):
     add_ltpa_token_to_response(request, response)
     return response
 
+@cache_control(no_cache=True, not_store=True, must_revalidate=True)
 def logout(request):
     next_url = urlparse.urljoin(settings.STATIC_URL, 'authentic2/images/ok.png')
     response = HttpResponseRedirect(next_url)