"Burn after reading" pastes can be reloaded in browser

[asherber]

Describe the problem/question

I'm self-hosting PrivateBin on Linux/Apache, using the filesystem to store pastes. When I create and then view a burn-on-reading paste, I can see that the corresponding file gets created and then deleted. But if I reload the page in my browser (currently using Chrome), or visit the URL in another browser tab, then I can pull up the same paste again. If I visit the URL in another browser or an incognito window, then the paste is not available, as expected.

It seems like there's some caching going on, probably at the browser level. Is this a bug, or is there some config option I missed?

Did you use the FAQ section?

• Yes, I have read the FAQ and I found no solution/answer there.

What you did?

1. Create a new burn-on-read paste
2. Visit the URL
3. Hit reload in Chrome
4. Open a new tab, visit URL

What happens

Whenever I reload the tab or visit the URL in a new tab, I am able to see the paste, even though I can see on the server that the paste file is gone.

What should happen

The paste should not display.

Additional information

On privatebin.net, although I get the popup indicating that burn-on-read pastes can only be read once, the actual paste does not display on subsequent loads. ("Could not get paste data: Paste does not exist, has expired or has been deleted.") Is privatebin.net also using the filesystem?

Server address

No response

Server OS

Ubuntu

Webserver

Apache

PrivateBin version

v1.7.1

Browser and version

Chrome and Edge latest

Local operating system and version

Windows 11

Issue reproducibility

No, I cannot reproduce it on https://privatebin.net.

[elrido]

I cannot reproduce this on either Chromium or Firefox either, sorry. If I understand correctly, you only get this on your own instance, not on the privatebin.net demo instance? If yes, that would rule out your browser, it would either be a difference in headers sent to the browser, that makes it cache the API response, or the webserver caching it?

[asherber]

Yes, that looks right. When I visit the URL of a burn-on-read paste, the initial call to ?<id> returns with cache control no-store, no-cache, no-transform, must-revalidate. It looks like this is set in Controller.php, in the _view method.

But on my site, the subsequent ajax call to ?pasteid=<id> returns with max-age=172800 and I suppose the browser is caching that. (On privatebin.net, the ajax call returns with no cache-control header.)

Shouldn't the __construct method set the same cache control headers as _view, so that JSON responses don't get cached? I just added it there in my copy, and now burn-on-read pastes behave as expected.

[asherber]

I'm happy to submit a PR if this seems like an appropriate change.

[elrido]

That does sound like a good idea. Yes, the JSON responses should not ever get cached. A PR would be greatly appreciated!

[asherber]

I'm on my way out of town for a few days, will be happy to take care of this when I return.

[rugk]

Ref (as PRs do not seem to be linked in discussions), fixed in #1263