RFC2965 on cookies and cache
2007-08-13 @ 19:00#
since i've had such a hard time learning the details of how cookies and caches interact, i'm duplicating (below) the entire section 3.2.3 of RFC2965 on the subject. i've read it couple dozens times, too. just to pound it in.
note the need for the Cache-Control:no-cache="set-cookie"
plus at least one other item. also note the caveat in the last para re: HTTP/1.0.
3.2.3 Controlling Caching An origin server must be cognizant of the
effect of possible caching of both the returned resource and the
Set-Cookie2 header. Caching "public" documents is desirable. For
example, if the origin server wants to use a public document such as
a "front door" page as a sentinel to indicate the beginning of a
session for which a Set-Cookie2 response header must be generated,
the page SHOULD be stored in caches "pre-expired" so that the origin
server will see further requests. "Private documents", for example
those that contain information strictly private to a session, SHOULD
NOT be cached in shared caches.
If the cookie is intended for use by a single user, the Set-Cookie2
header SHOULD NOT be cached. A Set-Cookie2 header that is intended
to be shared by multiple users MAY be cached.
The origin server SHOULD send the following additional HTTP/1.1
response headers, depending on circumstances:
* To suppress caching of the Set-Cookie2 header:
Cache-control: no-cache="set-cookie2"
and one of the following:
* To suppress caching of a private document in shared caches:
Cache-control: private
* To allow caching of a document and require that it be validated
before returning it to the client:
Cache-Control: must-revalidate, max-age=0
* To allow caching of a document, but to require that proxy
caches (not user agent caches) validate it before returning it
to the client:
Cache-Control: proxy-revalidate, max-age=0
* To allow caching of a document and request that it be validated
before returning it to the client (by "pre-expiring" it):
Cache-control: max-age=0
Not all caches will revalidate the document in every case.
HTTP/1.1 servers MUST send Expires: old-date (where old-date is a
date long in the past) on responses containing Set-Cookie2 response
headers unless they know for certain (by out of band means) that
there are no HTTP/1.0 proxies in the response chain. HTTP/1.1
servers MAY send other Cache-Control directives that permit caching
by HTTP/1.1 proxies in addition to the Expires: old-date directive;
the Cache-Control directive will override the Expires: old-date for
HTTP/1.1 proxies.