I’ve been asked to implement a security requirement that we instruct browsers not to cache sensitive data. This is all fine for the ASPX content using the standard instructions:

        Response.Expires = -1;
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetNoStore();

However when I set these headers for PDF downloads, IE8 won’t show the PDF (haven’t tried other IE versions yet, kinda moot, I need it working on all of them, even IEfreaking6). Seems to work in firefox 4 beta, but I haven’t double checked that it’s definitely not caching it. Here is the abridged version of the code I’m using to serve the PDFs:

        Response.Clear();
        Response.ClearHeaders();
        Response.ClearContent();
        Response.Buffer = true;

        //This stops the PDFs from being viewed :(
        //Response.Expires = -1;
        //Response.Cache.SetCacheability(HttpCacheability.NoCache);
        //Response.Cache.SetNoStore();

        Response.ContentType = mime;
        Response.AddHeader("Content-Disposition", disposition);

        Response.BinaryWrite(file);

        Response.End();

Where in the case of PDFs the mime type is set to:

       private const string mimeTypePDF = "application/pdf";

The disposition is set to:

       var disposition = String.Format("{0};filename=\"{1}\"", SendInline ? "inline" : "attachment", Path.GetFileName(filename));

I’m going to play-around a bit more, maybe forcing them to download as mimetype “application/octet-stream” might work, but that would stop the nice open PDF’s in a new browser window from working.

Has anyone had any success with preventing IE from caching PDFs from the server side and successfully displaying them?

Just to give a clear example about what happens. In one scenario user’s can select a bunch of reports from a list, these are compiled into a PDF and the PDF is shown in a new browser window. With the caching enabled the browser window opens, but remains resolutely blank.