RFC2965 on cookies and cache

2007-08-13 @ 19:00#

since i've had such a hard time learning the details of how cookies and caches interact, i'm duplicating (below) the entire section 3.2.3 of RFC2965 on the subject. i've read it couple dozens times, too. just to pound it in.

note the need for the Cache-Control:no-cache="set-cookie" plus at least one other item. also note the caveat in the last para re: HTTP/1.0.

3.2.3 Controlling Caching An origin server must be cognizant of the effect of possible caching of both the returned resource and the Set-Cookie2 header. Caching "public" documents is desirable. For example, if the origin server wants to use a public document such as a "front door" page as a sentinel to indicate the beginning of a session for which a Set-Cookie2 response header must be generated, the page SHOULD be stored in caches "pre-expired" so that the origin server will see further requests. "Private documents", for example those that contain information strictly private to a session, SHOULD NOT be cached in shared caches. If the cookie is intended for use by a single user, the Set-Cookie2 header SHOULD NOT be cached. A Set-Cookie2 header that is intended to be shared by multiple users MAY be cached. The origin server SHOULD send the following additional HTTP/1.1 response headers, depending on circumstances: * To suppress caching of the Set-Cookie2 header: Cache-control: no-cache="set-cookie2" and one of the following: * To suppress caching of a private document in shared caches: Cache-control: private * To allow caching of a document and require that it be validated before returning it to the client: Cache-Control: must-revalidate, max-age=0 * To allow caching of a document, but to require that proxy caches (not user agent caches) validate it before returning it to the client: Cache-Control: proxy-revalidate, max-age=0 * To allow caching of a document and request that it be validated before returning it to the client (by "pre-expiring" it): Cache-control: max-age=0 Not all caches will revalidate the document in every case. HTTP/1.1 servers MUST send Expires: old-date (where old-date is a date long in the past) on responses containing Set-Cookie2 response headers unless they know for certain (by out of band means) that there are no HTTP/1.0 proxies in the response chain. HTTP/1.1 servers MAY send other Cache-Control directives that permit caching by HTTP/1.1 proxies in addition to the Expires: old-date directive; the Cache-Control directive will override the Expires: old-date for HTTP/1.1 proxies.