I was digging through my Apache httpd access logs the other day and noticed that a particular Firefox user was hitting my favicon over and over. In fact, it seemed to be making the request every 10 seconds or so. At this point, I'm sort of assuming that someone's Firefox has just gone bonkers. But, there was something that caught my eye:
x.x.x.x - - [26/Apr/2011:23:29:54 -0500] "GET /favicon.ico HTTP/1.0" 304 - "-" "Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:18.104.22.168) Gecko/20110318 Red Hat/3.6-1.el5_6 Firefox/3.6.15"
Notice that the server is returning a 304 status code (the part right after
"GET /favicon.ico HTTP/1.0"). A 304 status code means that the browser asked
if there was a newer version of the file, and the server responded that there was
none. Here's a look at the HTTP request (I've chomped out a few bits that I thought
revealed a bit too much about the user):
GET /favicon.ico HTTP/1.0 Host: slaptijack.com User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:22.214.171.124) Gecko/20110318 Red Hat/3.6-1.el5_6 Firefox/3.6.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 If-None-Match: "34b0e6-115-fd0a9f00" Cache-Control: max-age=259200 Connection: keep-alive
What you see above is a conditional GET. The
header tells the web server to only send the file if the entity tag (ETag) is
different. If the entity tag hasn't changed, then the browser already has the
latest copy of the file. By the way, I used a combination of
tcpdump and wireshark to
grab and view the HTTP request.
At this point, I see no reason to stop whatever the user is doing.