Summary:
Incorrect setting for session_cache_limiter() in include.php
Detailed Description:
The CMSMS core file "include.php" contains the following section:
if( isset($CMS_ADMIN_PAGE) || isset($CMS_INSTALL_PAGE) )
{
// admin pages can't be cached... period, at all.. never.
@session_cache_limiter('private');
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
}
The problem here is that "@session_cache_limiter('private')" should probably be
"@session_cache_limiter('nocache')".
The intention is clearly to prevent the caching of admin files, but
session_cache_limiter('private') sets the wrong Cache-Control header for
achieving this (see:
http://php.net/manual/en/function.session-cache-limiter.php)
Immediately after calling the session_cache_limiter function, several of the
header fields set with session_cache_limiter are set again. I suspect that in
some circumstances this second group of settings do not effectively overwrite
those set with session_cache_limiter, which leads to problematic caching of
admin files such as is documented here:
http://forum.cmsmadesimple.org/viewtopic.php?f=7&t=71002&p=315160