caching and cookies

2007-08-11 @ 15:04#

AFAIK, when you use a cookie in a web request/response, public web caches will *not* cache the page. apparently, it's possible to instruct 1.1 caches to simply not cache the cookie header (Cache-Control:nocache="set-cookie") but i'm kinda unclear on how that works. i'm trying to dig into some details, but it's kinda hard to find. there's been lots of discussion on the 'net, but i'm not getting a clear picture. duane wessels' book Web Caching is pretty helpful, but i'm still unclear on the full meaning since various headers all come into play on this. i'll continue to dig away.

the good news is that my exyus framework no longer spits out a session cookie for every request. this really didn't make sense anymore to me and i've not missed it one bit after almost a month. now, the only cookie i produce is one that holds the logged-in user's name. this seems kinda silly since the http server var carries this data in each request anyway (AUTH_USER). so, i guess i need no cookies, right?

i'm a bit concerned about cases where i might want to build a shopping cart or some other sustained data over the life of a session (or multiple sessions). i even started working on a REST resource model for session data based on the logged in user. but then that seems foolish, too. if i have the AUTH_USER value, i can keep anything i think is important on the server with that key, right? but how does the *client* access that data (one of the things cookies are good for)? i could use AJAX or JSON, but that means HTML-only clients are stuck with no session data. i suppose i could squirt this sever-side data directly in the page for those cases, but it seems kinda clunky.

<input type="hidden" name="{session-var-name}" value="{session-var-value}" />

i know i'm close to getting this cleared up, but i can tell i need more work on this. surely this has all been sorted out in the past by brighter minds than mine!

finally, if i just understood the details/implications of the whole cookie/caching thing maybe this would just 'go away.'

code