by jove, i think i've got it!
2007-08-13 @ 22:24#
ok, after the whack on the head earlier today, a quick check of the RFCs and some code cleanup, i think i have the proper caching directives for cookie-less, cookie-d, and authenticated GET/HEAD requests. i hereby submit the following traces:
REQUEST: **************
GET /xcs/blogging/ HTTP/1.1
Host: localhost
Accept: */*
RESPONSE: **************
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Tue, 14 Aug 2007 02:22:35 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Exyus: 0.8.2781.38443 2007-08
Last-Modified: Tue, 14 Aug 2007 02:22:10 GMT
ETag: jP7knFoirqpOEPQ/UD0aFw==
Cache-Control: public,must-revalidate,post-check=1,pre-check=2
Content-Type: text/html; charset=utf-8
Content-Length: 5738
REQUEST: **************
GET /xcs/blogging/ HTTP/1.1
Host: localhost
Accept: */*
Authorization: Basic xxxxxxxxxxxxxxxx==
RESPONSE: **************
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Tue, 14 Aug 2007 02:22:09 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Exyus: 0.8.2781.38443 2007-08
Set-Cookie: session-user=xxx; path=/
Expires: Mon, 01 Jan 0001 01:00:00 GMT
Last-Modified: Tue, 14 Aug 2007 02:22:10 GMT
ETag: jP7knFoirqpOEPQ/UD0aFw==
Cache-Control: private,must-revalidate,nocache="set-cookie",max-age=0,post-check=1,pre-check=2
Content-Type: text/html; charset=utf-8
Content-Length: 5738