Explicitly disable caching

[ddriddle]

When I performed a curl against auth/elmr/session, I received the following headers:

$ curl --cookie '__edu.illinois.techservices.elmr.serviceUrl=/foo/bar' -sD - http://127.0.0.1/auth/elmr/session
HTTP/1.1 302 302
Server: nginx/1.14.2
Date: Fri, 05 Apr 2019 19:05:37 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: __edu.illinois.techservices.elmr.servlets.sessionKey=MTIzNA==; Path=/
Location: http://127.0.0.1/foo/bar

According to RFC 7234 we should assume that this page will be cached since no Cache-Control headers are set:

Although caching is an entirely OPTIONAL feature of HTTP, it can be assumed that reusing a cached response is desirable and that such reuse is the default behavior when no requirement or local configuration prevents it.

It is not desirable that any page coming from elmrsample be cached since it is wrapped with Shibboleth, and the content itself is not designed to be cacheable. Please ensure that all pages set the following Cache-Control headers per Amazon's recommendations:

Cache-Control: no-cache, no-store

FYI This stack overflow thread gives a bunch of code examples in various languages including Java and Python. In addition, for backwards compatibility with all browers since the 90's it recommends the following settings:

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0

For modern browsers and caches the settings recommended by Amazon are sufficient. You can find more information about these directives from the RFC here. I will leave it to you to decide which recommendation to follow. I will test for no-cache, no-store.